# SARE Header Abuse Ruleset for SpamAssassin -- file 0
# Version:  01.03.16
# Created:  2004-04-25
# Modified: 2005-10-28
# Usage instructions and documentation in 70_sare_header0.cf 

# Full Revision History / Change Log in 70_sare_header.log
#@@# 01.03.16  Oct 28 2005
#@@#           Minor score updates based on additional mass-check
#@@#           Added to file 0:          SARE_FRM_HOODIA
#@@#           Added to file 0:          SARE_HEAD_HDR_XIDSRVR
#@@#           Added to file 0:          SARE_RECV_IP_064069032
#@@#           Added to file 0:          SARE_RECV_IP_066059094
#@@#           Added to file 0:          SARE_RECV_IP_066159017
#@@#           Added to file 0:          SARE_RECV_IP_204010039
#@@#           Added to file 0:          SARE_XMAIL_LEO
#@@#           Moved file 0 to file 1:   SARE_BOUNDARY_LC
#@@#           Moved file 0 to file 1:   SARE_FREE_WEBM_FrVoila
#@@#           Moved file 0 to file 1:   SARE_HEAD_HDR_XBBOUNC
#@@#           Moved file 0 to file 1:   SARE_HEAD_XWORD
#@@#           Moved file 0 to file 1:   SARE_RECV_IP_066165224
#@@#           Moved file 0 to file 1:   SARE_RECV_IP_218088
#@@#           Moved file 0 to file 1:   SARE_XMAIL_TOLMAIL
#@@#           Moved file 0 to file 2:   SARE_RECV_IP_063111025
#@@#           Moved file 0 to file 2:   SARE_RECV_RANDOM
#@@#           Moved file 0 to file x31: SARE_MULT_RATW_02 to x31 file; RATWARE_NAME_ID is now in version 3.1.0
#@@#           Moved file 1 to file 0:   SARE_HEAD_XMIMEO_MS
#@@#           Moved file 1 to file 0:   SARE_RECV_IP_069060122
#@@#           Moved file 1 to file 0:   SARE_XMAIL_DYNAMAILER
#@@#           Moved file 2 to file 0:   SARE_HEAD_HDR_XE
#@@#           Replaced                  __SARE_HEAD_HDR_MIMEV in SARE_HEAD_MIME_INVALID with SA 2.60 rule __MIME_VERSION
#@@#           Replaced                  __SARE_HEAD_MAIL_BAT1 in SARE_HEAD_BAT_WEB with SA 3.1.0 rule __THEBAT_MUA

# License: Artistic - see http://www.rulesemporium.com/license.txt 
# Current Maintainer: Bob Menschel - RMSA@Menschel.net
# Current Home: http://www.rulesemporium.com/rules/70_sare_header0.cf 
# 
# Usage:  This family of files, 70_sare_header*.cf, contain rules that test email headers 
#         (except the Subject header, which is handled in the 70_sare_genlsubj*.cf family of files). 
#
# File 0: 70_sare_header0.cf -- These are header rules that hit at least 10 spam and no ham. 
#         While SARE cannot guarantee they never will hit ham, they have not hit ham in any SARE mass-check, against tens of thousands of ham.
#         This is a rules file we expect any/all email systems using SpamAssassin to benefit from. 
#
# File 1: 70_sare_header1.cf -- These are header rules that meet one of the follow criteria: 
#         a) Rules that do, or in the past have hit ham during SARE mass-check tests 
#         b) Rules that hit no ham and currently do not hit more than 10 spam in any single mass-check run. 
#         If the rules hit ham, they hit at last 10 spam to each 1 ham. 
#         With few exceptions these rules score significantly less than the rules in file 0. 
#         Systems which are very sensitive to false positives and/or need to be very careful about resource use may want to exclude this ruleset, 
#         pick and choose among its rules, or lower their scores.
#         Systems that use this file 1 should ALSO use file 0. 
#
# File 2: 70_sare_header2.cf -- These header rules hit no spam at this time, but they are considered "safe" rules that should never hit ham.
#         These are primarily rules that test for specific headers seen only in spam, or similar types of "pretty darn sure" rules. 
#         Systems which are very sensitive to SpamAssassin overhead may want to exclude this ruleset file to avoid its overhead, 
#         but systems with plenty of resources that want to be aggressive against spam may benefit from this ruleset file.
#
# File 3: 70_sare_header3.cf -- These are header rules that hit a significant amount of ham during SARE mass-check tests. 
#         Systems which are very sensitive to false positives or to SA resource usage should NOT install this ruleset. 
#
# File 4: 70_sare_header4.cf -- These are header rules that meet one of the following criteria: 
#         a) They hit over 100 ham during SARE mass-check tests, but still hit enough spam to be worth while to aggressively anti-spam systems. 
#         b) They hit no emails at this time, but have been recommended by anti-spam sources (such as rules developed from Spam-L list reports).
#         Again, systems which are very sensitive to false positives or to SA resource usage should NOT install this ruleset. 
#
# eng:    70_sare_header_eng.cf -- These are header rules which work well within the English language, but are liable to cause false
#         positives in other languages. They include rules which test for letter combinations and encoded header headers. Systems that
#         receive ham in languages other than English should NOT use this file. 
#
# x264_x30: 70_sare_header_x264_x30.cf -- These are header rules which have been incorporated into both SpamAssassin 2.64 and 3.0.x, 
#         or which duplicate or greatly overlap both 3.0.x rules. 
#         Systems which have installed SpamAssassin version 2.64 or 3.0.x should therefore NOT use this file.
#
# x30:    70_sare_header_x30.cf -- These are header rules which have been incorporated into SpamAssassin 3.0.x, 
#         or which duplicate or greatly overlap 3.0.x rules. 
#         Systems which have installed SpamAssassin 3.0.x should therefore NOT use this file.
#
# arc:    70_sare_header_arc.cf -- These are header rules that once were published in other files, but which have since lost all value.
#         They either hit too much ham (without hitting enough spam to make it worth while), or they don't hit any spam. 
#         SARE regularly runs mass-checks on these rules to see if any of them are worth reviving, but 
#         we expect that nobody will be running these rules in any production system. 

########  ######################   ##################################################
#    Component rules used within meta rules 
########  ######################   ##################################################

header    __SARE_HEAD_8BIT_SUBJ    Subject =~ /[\x80-\xff]{3,}/
#counts   __SARE_HEAD_8BIT_SUBJ    17149s/110h of 238550 corpus (112525s/126025h RM) 02/28/05
#counts   __SARE_HEAD_8BIT_SUBJ    3478s/2h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
#counts   __SARE_HEAD_8BIT_SUBJ    2s/1h of 26190 corpus (22790s/3400h MY) 02/15/05

########  ######################   ##################################################
#    Meta rules used to prevent --lint errors after moving/changing rules
########  ######################   ##################################################

meta      SARE_HEAD_HDR_APPROV     0  
meta      SARE_HEAD_HDR_CONVWLS    0  
meta      SARE_HEAD_HDR_DISCREC    0  
meta      SARE_HEAD_HDR_XENC       0  
meta      SARE_HEAD_HDR_XENVID     0  
meta      SARE_HEAD_HDR_XMAILID    0  
meta      SARE_HEAD_HDR_XTID       0  
meta      SARE_FROM_PRINTER        0  
meta      SARE_FROM_DEBT           0  
meta      SARE_FROM_DVDCOPY        0  
meta      SARE_FROM_SPAM_CHAR0     0  
meta      SARE_FREE_WEBM_Jpop      0  
meta      SARE_FREE_WEBM_NETCITY   0  
meta      SARE_FREE_WEBM_ZCom03    0  
meta      SARE_MSGID_LONG          0  
meta      SARE_HELO_YAHOO          0  
meta      SARE_RECV_SPAM_DOMN0a    0  
meta      SARE_RECV_SPAM_DOMN02    0  
meta      SARE_RECV_VIRTUACOMBR    0  
meta      SARE_RECV_IP_066111      0  
meta      SARE_RECV_IP_081019      0  
meta      SARE_RECV_IP_082154      0  
meta      SARE_RECV_IP_195229      0  
meta      SARE_RECV_IP_200150      0  
meta      SARE_RECV_IP_218216      0  
meta      SARE_RECV_IP_222000      0  
meta      SARE_RECV_IP_222126      0  
meta      SARE_XMAIL_PSSMAILER     0  
meta      SARE_XMAIL_RLSP          0  
meta      SARE_MULT_VIA_CITIZNET   0  
meta      SARE_FROM_SUPPORT_DIG    0  
meta      SARE_TOCC_BCC_MANY       0  
meta      SARE_HEAD_HDR_EPATH      0  
meta      SARE_HEAD_HDR_XAR        0  
meta      SARE_HEAD_HDR_XNOSPAM    0  
meta      SARE_FROM_QUOTE          0  
meta      SARE_FROM_SPACE2         0  
meta      SARE_MSGID_EMPTY         0  
meta      SARE_RECV_SPAM_DOMN81    0  
meta      SARE_RECV_SPAM_NAME0     0  
meta      SARE_FROM_SPAM_NAME0     0  
meta      SARE_HEAD_HDR_XAUTOGN    0  
meta      SARE_HEAD_HDR_XCCDIAG    0  
meta      SARE_HEAD_HDR_XMLFILT    0  
meta      SARE_HELO_MAIL           0  
meta      SARE_HEAD_HDR_XACWGHT    0  
meta      SARE_HEAD_HDR_XMCAVTP    0  
meta      SARE_USERAG_Dig          0  
meta      SARE_HEAD_HDR_XUNOLOOK   0  
meta      SARE_MSGID_2KDD          0  
meta      SARE_REPLY_SPAMWORD0     0  
meta      SARE_FROM_SPAM_WORD0     0  
meta      SARE_TOCC_COMBO1         0  
meta      SARE_FROM_UK2NET2        0  
meta      SARE_FREE_WEBM_NetSafe   0  
meta      SARE_FREE_WEBM_ZCom02    0  
meta      SARE_RECV_SKANOVA        0  
meta      SARE_RECV_IP_061050      0  
meta      SARE_RECV_IP_140117      0  
meta      SARE_RECV_IP_211216      0  
meta      SARE_TO_EMPTY            0  
meta      SARE_HEAD_8BIT_SPAM      0  
meta      SARE_RECV_SPAM_DOMN3     0  
meta      SARE_BOUNDARY_D8         0 
meta      SARE_HEAD_HDR_XCONTAC    0            
meta      SARE_RECV_IP_066114b     0
meta      SARE_BOUNDARY_05         0
meta      SARE_BOUNDARY_06         0
meta      SARE_FREE_WEBM_ZZa001    0
meta      SARE_FROM_CAPS_MSN       0
meta      SARE_FROM_NUM_9DIG       0
meta      SARE_FROM_SPAM_DOMN0     0
meta      SARE_FROM_SPAM_PL1       0
meta      SARE_HEAD_8BIT_DATE      0
meta      SARE_HEAD_8BIT_NOSPM     0
meta      SARE_HEAD_DATE14         0
meta      SARE_HEAD_DATE_5L        0
meta      SARE_HEAD_HDR_XLISTAD    0
meta      SARE_HEAD_HDR_XRIPE      0
meta      SARE_HEAD_HDR_XWTID      0
meta      SARE_HEAD_HDR_XWTVERS    0
meta      SARE_HELO_SERVER         0
meta      SARE_MSGID_D1D1D2D16     0
meta      SARE_RECV_BEZEQINT_B     0
meta      SARE_RECV_IP_061072      0
meta      SARE_RECV_IP_061190      0
meta      SARE_RECV_IP_061228      0
meta      SARE_RECV_IP_062023      0
meta      SARE_RECV_IP_192116      0
meta      SARE_RECV_IP_203177      0
meta      SARE_RECV_IP_218078      0
meta      SARE_RECV_IP_221124      0
meta      SARE_RECV_IP_222064      0
meta      SARE_RECV_ISWEST         0
meta      SARE_RECV_PATMEDIA       0
meta      SARE_BOUNDARY_NP2        0
meta      SARE_CONTENT_BITBITNUM   0
meta      SARE_FROM_VIRUS1         0
meta      SARE_HEAD_HDR_JLH        0
meta      SARE_HEAD_HDR_RTNPATH    0
meta      SARE_MULT_RATW_03        0
meta      SARE_RECV_IP_064192191   0
meta      SARE_BOUNDARY_D10        0
meta      SARE_HEAD_HDR_XMAILTH    0
meta      SARE_HEAD_HDR_XMLRSRV    0
meta      SARE_HEAD_HDR_XSMTPSV    0
meta      SARE_HEAD_HDR_XUMAIL     0
meta      SARE_MSGID_LONG50        0
meta      SARE_RECV_SPAM_DOMN04    0
meta      SARE_XMAIL_GOMAIL        0
meta      SARE_HEAD_8BIT_RECV      0
meta      SARE_RECV_FEP5           0
meta      SARE_RECV_IP_203210128   0
meta      SARE_RECV_SPAM_DOMN06    0
meta      SARE_FREE_WEBM_ZCom05    0
meta      SARE_HEAD_XUNSENT        0
meta      SARE_RECV_IP_069050210   0
meta      SARE_RECV_IP_206131      0
meta      SARE_RECV_IP_206248152   0
meta      SARE_RECV_PORTHELO_1     0
meta      SARE_RECV_PORTHELO_2     0
meta      SARE_RECV_PORTHELO_3     0
meta      SARE_RECV_CHAR_CARAT     0
meta      SARE_MULT_RATW_02        0
meta      SARE_BOUNDARY_LC         0
meta      SARE_FREE_WEBM_FrVoila   0
meta      SARE_RECV_IP_066165224   0
meta      SARE_RECV_IP_218088      0
meta      SARE_XMAIL_TOLMAIL       0
meta      SARE_RECV_IP_063111025   0
meta      SARE_RECV_RANDOM         0
meta      SARE_BOUNDARY_LC         0
meta      SARE_FREE_WEBM_FrVoila   0
meta      SARE_HEAD_XWORD          0
meta      SARE_RECV_IP_066165224   0
meta      SARE_RECV_IP_218088      0
meta      SARE_XMAIL_TOLMAIL       0
meta      SARE_RECV_IP_063111025   0
meta      SARE_RECV_RANDOM         0
meta      SARE_MULT_RATW_02        0
meta      SARE_HEAD_HDR_XBBOUNC    0
meta      SARE_RECV_IP_071004246   0

#####################################################################################
#         SARE Header-Exists rules
########  ######################   ##################################################

header    SARE_HEAD_HDR_CONVER     exists:Conversion
describe  SARE_HEAD_HDR_CONVER     Message headers used which identify spam
score     SARE_HEAD_HDR_CONVER     1.111 
#stype    SARE_HEAD_HDR_CONVER     spamp
#counts   SARE_HEAD_HDR_CONVER     12s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_HEAD_HDR_CONVER     54s/0h of 275081 corpus (134226s/140855h RM) 05/30/05
#counts   SARE_HEAD_HDR_CONVER     0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_CONVER     9s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_HEAD_HDR_CONVER     10s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_CONVER     5s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_HEAD_HDR_CONVER     0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
#counts   SARE_HEAD_HDR_CONVER     0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05

header    SARE_HEAD_HDR_DISPNOP    exists:Disposition-Notification-Options
describe  SARE_HEAD_HDR_DISPNOP    Message headers used which identify spam
score     SARE_HEAD_HDR_DISPNOP    1.111
#stype    SARE_HEAD_HDR_DISPNOP    spamp
#counts   SARE_HEAD_HDR_DISPNOP    16s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_HEAD_HDR_DISPNOP    60s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
#counts   SARE_HEAD_HDR_DISPNOP    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_DISPNOP    11s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_HEAD_HDR_DISPNOP    13s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_DISPNOP    2s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_HEAD_HDR_DISPNOP    14s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_HEAD_HDR_DISPNOP    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_LANG       exists:Language
describe  SARE_HEAD_HDR_LANG       Message headers used which identify spam
score     SARE_HEAD_HDR_LANG       1.666
#stype    SARE_HEAD_HDR_LANG       spamp
#counts   SARE_HEAD_HDR_LANG       122s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_HEAD_HDR_LANG       413s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
#counts   SARE_HEAD_HDR_LANG       78s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_HEAD_HDR_LANG       86s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_LANG       1s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#max      SARE_HEAD_HDR_LANG       3s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_HEAD_HDR_LANG       19s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_HEAD_HDR_LANG       42s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_HEAD_HDR_LANG       0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_NLETRID    exists:Newsletter-ID
describe  SARE_HEAD_HDR_NLETRID    Message headers used which identify spam
score     SARE_HEAD_HDR_NLETRID    1.666
#stype    SARE_HEAD_HDR_NLETRID    spamp
#counts   SARE_HEAD_HDR_NLETRID    0s/0h of 259338 corpus (110116s/149222h RM) 05/16/05
#max      SARE_HEAD_HDR_NLETRID    173s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
#counts   SARE_HEAD_HDR_NLETRID    0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#max      SARE_HEAD_HDR_NLETRID    1s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_HEAD_HDR_NLETRID    28s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_HEAD_HDR_NLETRID    0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_HEAD_HDR_NLETRID    12s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_HEAD_HDR_NLETRID    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_PID        exists:PID
describe  SARE_HEAD_HDR_PID        Message headers used which identify spam
score     SARE_HEAD_HDR_PID        1.666
#stype    SARE_HEAD_HDR_PID        spamp
#counts   SARE_HEAD_HDR_PID        1s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_HEAD_HDR_PID        139s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
#counts   SARE_HEAD_HDR_PID        0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_PID        36s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_HEAD_HDR_PID        0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_HEAD_HDR_PID        20s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_HEAD_HDR_PID        0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_PREVNDR    exists:Prevent-NonDelivery-Report
describe  SARE_HEAD_HDR_PREVNDR    Message headers used which identify spam
score     SARE_HEAD_HDR_PREVNDR    1.666
#stype    SARE_HEAD_HDR_PREVNDR    spamp
#counts   SARE_HEAD_HDR_PREVNDR    19s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_HEAD_HDR_PREVNDR    129s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
#counts   SARE_HEAD_HDR_PREVNDR    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_PREVNDR    18s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_HEAD_HDR_PREVNDR    20s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_PREVNDR    6s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_HEAD_HDR_PREVNDR    21s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_HEAD_HDR_PREVNDR    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XBNCETR    exists:X-BounceTrace
describe  SARE_HEAD_HDR_XBNCETR    Message headers used which identify spam
score     SARE_HEAD_HDR_XBNCETR    1.111
#stype    SARE_HEAD_HDR_XBNCETR    spamp
#counts   SARE_HEAD_HDR_XBNCETR    96s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#counts   SARE_HEAD_HDR_XBNCETR    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XBNCETR    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XBNCETR    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XBNCETR    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XCAMPIDZ   exists:X-Campidz
describe  SARE_HEAD_HDR_XCAMPIDZ   Message headers used which identify spam
score     SARE_HEAD_HDR_XCAMPIDZ   2.333
#stype    SARE_HEAD_HDR_XCAMPIDZ   spamp
#counts   SARE_HEAD_HDR_XCAMPIDZ   2171s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HEAD_HDR_XCAMPIDZ   0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XCAMPIDZ   9s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#counts   SARE_HEAD_HDR_XCAMPIDZ   0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XCAMPIDZ   0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XCLIHST    exists:X-ClientHost
describe  SARE_HEAD_HDR_XCLIHST    Message headers used which identify spam
score     SARE_HEAD_HDR_XCLIHST    2.888
#stype    SARE_HEAD_HDR_XCLIHST    spamp
#counts   SARE_HEAD_HDR_XCLIHST    7465s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HEAD_HDR_XCLIHST    2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_HEAD_HDR_XCLIHST    19s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
#counts   SARE_HEAD_HDR_XCLIHST    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XCLIHST    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XE         exists:X-E
describe  SARE_HEAD_HDR_XE         Message headers used which identify spam
score     SARE_HEAD_HDR_XE         1.666
#counts   SARE_HEAD_HDR_XE         810s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HEAD_HDR_XE         0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XE         0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XE         0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XE         0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XCSIP      exists:X-CS-IP
describe  SARE_HEAD_HDR_XCSIP      Message headers used which identify spam
score     SARE_HEAD_HDR_XCSIP      1.666
#stype    SARE_HEAD_HDR_XCSIP      spamp
#hist     SARE_HEAD_HDR_XCSIP      FH_HAS_CS_IP
#counts   SARE_HEAD_HDR_XCSIP      155s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_HEAD_HDR_XCSIP      590s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
#counts   SARE_HEAD_HDR_XCSIP      101s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_HEAD_HDR_XCSIP      127s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05
#counts   SARE_HEAD_HDR_XCSIP      1s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#max      SARE_HEAD_HDR_XCSIP      136s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XCSIP      13s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_HEAD_HDR_XCSIP      98s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_HEAD_HDR_XCSIP      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XEMAIL     exists:X-EMail
describe  SARE_HEAD_HDR_XEMAIL     Message headers used which identify spam
score     SARE_HEAD_HDR_XEMAIL     1.666
#stype    SARE_HEAD_HDR_XEMAIL     spamp
#counts   SARE_HEAD_HDR_XEMAIL     841s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HEAD_HDR_XEMAIL     0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XEMAIL     0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XEMAIL     0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XEMAIL     0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XENCVER    exists:X-Encoding-Version
describe  SARE_HEAD_HDR_XENCVER    Message headers used which identify spam
score     SARE_HEAD_HDR_XENCVER    1.666
#stype    SARE_HEAD_HDR_XENCVER    spamp
#counts   SARE_HEAD_HDR_XENCVER    306s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HEAD_HDR_XENCVER    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XENCVER    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XENCVER    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XENCVER    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XFIND      exists:X-Find
describe  SARE_HEAD_HDR_XFIND      Message headers used which identify spam
score     SARE_HEAD_HDR_XFIND      1.666
#stype    SARE_HEAD_HDR_XFIND      spamp
#counts   SARE_HEAD_HDR_XFIND      306s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HEAD_HDR_XFIND      0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XFIND      0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XFIND      0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XFIND      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XGMAILA    exists:X-Gmail-Account
describe  SARE_HEAD_HDR_XGMAILA    Message headers used which identify spam
score     SARE_HEAD_HDR_XGMAILA    1.111
#stype    SARE_HEAD_HDR_XGMAILA    spamp
#counts   SARE_HEAD_HDR_XGMAILA    3s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
#max      SARE_HEAD_HDR_XGMAILA    20s/0h of 259338 corpus (110116s/149222h RM) 05/16/05
#counts   SARE_HEAD_HDR_XGMAILA    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XGMAILA    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XGMAILA    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XGMAILA    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XGMXAV     exists:X-GMX-Antivirus
describe  SARE_HEAD_HDR_XGMXAV     Message headers used which identify spam
score     SARE_HEAD_HDR_XGMXAV     1.666 
#counts   SARE_HEAD_HDR_XGMXAV     171s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_HEAD_HDR_XGMXAV     199s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
#counts   SARE_HEAD_HDR_XGMXAV     0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#max      SARE_HEAD_HDR_XGMXAV     33s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XGMXAV     7s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_HEAD_HDR_XGMXAV     10s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XGMXAV     0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XGMXAV     0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XIDSRVR    exists:X-Identity-Server
describe  SARE_HEAD_HDR_XIDSRVR    Message headers used which identify spam
score     SARE_HEAD_HDR_XIDSRVR    1.111
#stype    SARE_HEAD_HDR_XIDSRVR    spamp
#hist     SARE_HEAD_HDR_XIDSRVR    Bob Menschel, June 3 2005, idea by Alex Broens
#counts   SARE_HEAD_HDR_XIDSRVR    15s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HEAD_HDR_XIDSRVR    0s/0h of 5653 corpus (1019s/4634h ft) 06/04/05
#counts   SARE_HEAD_HDR_XIDSRVR    0s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
#counts   SARE_HEAD_HDR_XIDSRVR    0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_HEAD_HDR_XIDSRVR    0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05

header    SARE_HEAD_HDR_XRMDTXT    exists:X-RMD-Text
describe  SARE_HEAD_HDR_XRMDTXT    Message headers used which identify spam
score     SARE_HEAD_HDR_XRMDTXT    1.111
#stype    SARE_HEAD_HDR_XRMDTXT    spamp
#counts   SARE_HEAD_HDR_XRMDTXT    33s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HEAD_HDR_XRMDTXT    0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#max      SARE_HEAD_HDR_XRMDTXT    1s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XRMDTXT    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XRMDTXT    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XRMDTXT    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XRMVADR    exists:X-Remove-Address
describe  SARE_HEAD_HDR_XRMVADR    Message headers used which identify spam
score     SARE_HEAD_HDR_XRMVADR    1.111
#stype    SARE_HEAD_HDR_XRMVADR    spamp
#counts   SARE_HEAD_HDR_XRMVADR    38s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_HEAD_HDR_XRMVADR    42s/0h of 275081 corpus (134226s/140855h RM) 05/30/05
#counts   SARE_HEAD_HDR_XRMVADR    1s/0h of 6924 corpus (1403s/5521h ft) 07/27/05
#counts   SARE_HEAD_HDR_XRMVADR    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XRMVADR    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XRMVADR    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XRMVADR    1s/0h of 7500 corpus (1767s/5733h ft) 09/18/05

header    SARE_HEAD_HDR_XRSPCID    exists:X-Responder-CID
describe  SARE_HEAD_HDR_XRSPCID    Message headers used which identify spam
score     SARE_HEAD_HDR_XRSPCID    1.111
#stype    SARE_HEAD_HDR_XRSPCID    spamp
#counts   SARE_HEAD_HDR_XRSPCID    25s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#counts   SARE_HEAD_HDR_XRSPCID    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XRSPCID    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XRSPCID    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XRSPCID    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XRSPRID    exists:X-Responder-ID
describe  SARE_HEAD_HDR_XRSPRID    Message headers used which identify spam
score     SARE_HEAD_HDR_XRSPRID    1.111
#stype    SARE_HEAD_HDR_XRSPRID    spamp
#counts   SARE_HEAD_HDR_XRSPRID    71s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HEAD_HDR_XRSPRID    2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_HEAD_HDR_XRSPRID    1s/0h of 6924 corpus (1403s/5521h ft) 07/27/05
#counts   SARE_HEAD_HDR_XRSPRID    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XRSPRID    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XRSPRID    1s/0h of 7500 corpus (1767s/5733h ft) 09/18/05

header    SARE_HEAD_HDR_XRSPUSR    exists:X-Responder-USR
describe  SARE_HEAD_HDR_XRSPUSR    Message headers used which identify spam
score     SARE_HEAD_HDR_XRSPUSR    1.111
#stype    SARE_HEAD_HDR_XRSPUSR    spamp
#counts   SARE_HEAD_HDR_XRSPUSR    25s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#counts   SARE_HEAD_HDR_XRSPUSR    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XRSPUSR    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XRSPUSR    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XRSPUSR    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XSPAMTST   exists:X-SpamTest-Info
describe  SARE_HEAD_HDR_XSPAMTST   Message headers used which identify spam
score     SARE_HEAD_HDR_XSPAMTST   1.111
#stype    SARE_HEAD_HDR_XSPAMTST   spamp
#hist     SARE_HEAD_HDR_XSPAMTST   Bob Menschel, May 14, 2005
#counts   SARE_HEAD_HDR_XSPAMTST   43s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_HEAD_HDR_XSPAMTST   57s/0h of 298277 corpus (136400s/161877h RM) 06/06/05
#counts   SARE_HEAD_HDR_XSPAMTST   0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XSPAMTST   0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
#counts   SARE_HEAD_HDR_XSPAMTST   0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05

header    SARE_HEAD_HDR_XSPTRID    exists:X-SP-Track-ID
describe  SARE_HEAD_HDR_XSPTRID    Message headers used which identify spam
score     SARE_HEAD_HDR_XSPTRID    1.666
#stype    SARE_HEAD_HDR_XSPTRID    spamp
#hist     SARE_HEAD_HDR_XSPTRID    FH_XSPTRACK
#counts   SARE_HEAD_HDR_XSPTRID    593s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HEAD_HDR_XSPTRID    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XSPTRID    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XSPTRID    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XSPTRID    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XUOLSRV    exists:X-UOL-Srv
describe  SARE_HEAD_HDR_XUOLSRV    Message headers used which identify spam
score     SARE_HEAD_HDR_XUOLSRV    1.111
#stype    SARE_HEAD_HDR_XUOLSRV    spamp
#counts   SARE_HEAD_HDR_XUOLSRV    23s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HEAD_HDR_XUOLSRV    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XUOLSRV    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XUOLSRV    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XUOLSRV    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XWCMID     exists:X-WCMailID
describe  SARE_HEAD_HDR_XWCMID     Message headers used which identify spam
score     SARE_HEAD_HDR_XWCMID     2.222
#counts   SARE_HEAD_HDR_XWCMID     1011s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HEAD_HDR_XWCMID     0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XWCMID     0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XWCMID     0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XWCMID     0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XWEBMTM    exists:X-Webmail-Time
describe  SARE_HEAD_HDR_XWEBMTM    Message headers used which identify spam
score     SARE_HEAD_HDR_XWEBMTM    1.666
#stype    SARE_HEAD_HDR_XWEBMTM    spamp
#counts   SARE_HEAD_HDR_XWEBMTM    237s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_HEAD_HDR_XWEBMTM    351s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
#counts   SARE_HEAD_HDR_XWEBMTM    0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#max      SARE_HEAD_HDR_XWEBMTM    78s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XWEBMTM    100s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_HEAD_HDR_XWEBMTM    112s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XWEBMTM    1s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_HEAD_HDR_XWEBMTM    41s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_HEAD_HDR_XWEBMTM    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

#####################################################################################
#         SARE Content-Type and Boundary rules
########  ######################   ##################################################

header    SARE_BOUNDARY_02         Content-Type =~ /boundary\=('|\")?\~{10,}/
describe  SARE_BOUNDARY_02         Too many ~'s in the boundary.
score     SARE_BOUNDARY_02         0.650
#hist     SARE_BOUNDARY_02         MY_BOUNDARY2
#counts   SARE_BOUNDARY_02         37s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_BOUNDARY_02         51s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
#counts   SARE_BOUNDARY_02         0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
#counts   SARE_BOUNDARY_02         0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_BOUNDARY_02         0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_BOUNDARY_03         Content-Type =~ /boundary="-{10}[A-F0-9]{20,}"/
describe  SARE_BOUNDARY_03         Content type boundary used in spam or virus
score     SARE_BOUNDARY_03         1.666
#stype    SARE_BOUNDARY_03         spamp
#hist     SARE_BOUNDARY_03         Created by Bob Menschel May 31 2004
#counts   SARE_BOUNDARY_03         59s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_BOUNDARY_03         132s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
#counts   SARE_BOUNDARY_03         0s/0h of 13447 corpus (11336s/2111h MY) 06/02/04
#counts   SARE_BOUNDARY_03         590s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_BOUNDARY_03         0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_BOUNDARY_03         0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_BOUNDARY_10         Content-Type =~ /boundary=\"----[a-z\d]{10}-[\w\.]+\"$/is
describe  SARE_BOUNDARY_10         Possible spam flag
score     SARE_BOUNDARY_10         2.333
#hist     SARE_BOUNDARY_10         Loren Wilton, Feb 21 2005
#counts   SARE_BOUNDARY_10         1831s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_BOUNDARY_10         2495s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
#counts   SARE_BOUNDARY_10         117s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_BOUNDARY_10         0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_BOUNDARY_10         0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
#counts   SARE_BOUNDARY_10         0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05

header    SARE_BOUNDARY_11         Content-Type =~ /boundary=\"--\d{2,7}-\d{2,7}-\d{2,7}\"/
score     SARE_BOUNDARY_11         1.344
describe  SARE_BOUNDARY_11         Possible spam flag
#hist     SARE_BOUNDARY_11         Loren Wilton, Feb 21 2005
#counts   SARE_BOUNDARY_11         77s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_BOUNDARY_11         125s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
#counts   SARE_BOUNDARY_11         17s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_BOUNDARY_11         38s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#counts   SARE_BOUNDARY_11         1s/0h of 2500 corpus (531s/1969h ft) 05/17/05
#counts   SARE_BOUNDARY_11         0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05

header    SARE_BOUNDARY_12         Content-Type =~ /boundary=\"--[a-z]+\d+[a-z]+"/ # no /i
describe  SARE_BOUNDARY_12         Possible spam flag
score     SARE_BOUNDARY_12         1.666
#hist     SARE_BOUNDARY_12         Loren Wilton, Feb 21 2005
#counts   SARE_BOUNDARY_12         60s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_BOUNDARY_12         288s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
#counts   SARE_BOUNDARY_12         27s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_BOUNDARY_12         41s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_BOUNDARY_12         45s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_BOUNDARY_12         0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
#counts   SARE_BOUNDARY_12         0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05

header    SARE_BOUNDARY_13         Content-Type =~ /boundary=\"Java\.[A-Z]{5}\.\d{10,30}"/ # no /i
score     SARE_BOUNDARY_13         1.666
describe  SARE_BOUNDARY_13         Possible spam flag
#hist     SARE_BOUNDARY_13         Loren Wilton, Feb 21 2005
#counts   SARE_BOUNDARY_13         29s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_BOUNDARY_13         614s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
#counts   SARE_BOUNDARY_13         61s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_BOUNDARY_13         86s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
#max      SARE_BOUNDARY_13         133s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_BOUNDARY_13         0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
#counts   SARE_BOUNDARY_13         0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05

header    SARE_BOUNDARY_D9         Content-Type =~ /boundary="\d{9}"/
describe  SARE_BOUNDARY_D9         Content type boundary used in spam or virus
score     SARE_BOUNDARY_D9         1.111
#stype    SARE_BOUNDARY_D9         spamp
#hist     SARE_BOUNDARY_D9         Created by Bob Menschel May 31 2004
#counts   SARE_BOUNDARY_D9         76s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_BOUNDARY_D9         80s/0h of 275081 corpus (134226s/140855h RM) 05/30/05
#counts   SARE_BOUNDARY_D9         0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
#counts   SARE_BOUNDARY_D9         8s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#counts   SARE_BOUNDARY_D9         0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
#counts   SARE_BOUNDARY_D9         0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05

header    SARE_BOUNDARY_D11        Content-Type =~ /boundary="\d{11}"/
describe  SARE_BOUNDARY_D11        Content type boundary used in spam or virus
score     SARE_BOUNDARY_D11        1.666
#stype    SARE_BOUNDARY_D11        spamp
#hist     SARE_BOUNDARY_D11        Created by Bob Menschel May 31 2004
#counts   SARE_BOUNDARY_D11        112s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_BOUNDARY_D11        3s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_BOUNDARY_D11        0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_BOUNDARY_D11        7s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#counts   SARE_BOUNDARY_D11        0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    __SARE_BOUNDARY_D12      Content-Type =~ /boundary="\d{12,}"/
meta      SARE_BOUNDARY_D12        __SARE_BOUNDARY_D12 && !MIME_BOUND_DIGITS_15
describe  SARE_BOUNDARY_D12        Content type boundary used in spam or virus
score     SARE_BOUNDARY_D12        1.666
#stype    SARE_BOUNDARY_D12        spamp
#hist     SARE_BOUNDARY_D12        Created by Bob Menschel May 31 2004
#V300     SARE_BOUNDARY_D12        Converted to meta to avoid double-scoring new SA 3.0 MIME_BOUND_DIGITS_15 rule
#counts   SARE_BOUNDARY_D12        412s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_BOUNDARY_D12        188s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_BOUNDARY_D12        238s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
#counts   SARE_BOUNDARY_D12        0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_BOUNDARY_D12        32s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_BOUNDARY_D12        65s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_BOUNDARY_D12        0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
#alone    SARE_BOUNDARY_D12        701s/0h of 114271 corpus (81068s/33203h RM) 01/15/05

header    SARE_BOUNDARY_ANYDIG     Content-Type =~ /boundary="--.*\[\d\]/i
describe  SARE_BOUNDARY_ANYDIG     Content type boundary used in spam and viruses
score     SARE_BOUNDARY_ANYDIG     1.666
#hist     SARE_BOUNDARY_ANYDIG     Created by Bob Menschel May 7 2005, suggested by Alex Broens 
#counts   SARE_BOUNDARY_ANYDIG     143s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_BOUNDARY_ANYDIG     282s/0h of 298277 corpus (136400s/161877h RM) 06/06/05
#counts   SARE_BOUNDARY_ANYDIG     3s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#counts   SARE_BOUNDARY_ANYDIG     85s/0h of 5653 corpus (1019s/4634h ft) 06/04/05
#counts   SARE_BOUNDARY_ANYDIG     2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05

header    SARE_BOUNDARY_QZSOFT     content-type =~ /boundary="qzsoft_directmail_seperator"/
describe  SARE_BOUNDARY_QZSOFT     Identifies spam from specific spamware
score     SARE_BOUNDARY_QZSOFT     1.666
#hist     SARE_BOUNDARY_QZSOFT     Loren Wilton, LW_DIRECTMAIL, Sep 5 2004
#counts   SARE_BOUNDARY_QZSOFT     347s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_BOUNDARY_QZSOFT     5s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_BOUNDARY_QZSOFT     6s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_BOUNDARY_QZSOFT     0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_BOUNDARY_QZSOFT     0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_BOUNDARY_QZSOFT     0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

#####################################################################################
#         SARE From Rules 
########  ######################   ##################################################

header    __AOL_FROM               From:addr =~ /\@(?:aol|cs)\.com$/i
header    __SARE_FROM_GOODAOL      From =~ /[a-z][a-z0-9]{2,15}\@aol.com/i
describe  __SARE_FROM_GOODAOL      Partial Rule: Marks Bad AOL Addresses
meta      SARE_FROM_BADAOL         __AOL_FROM && !__SARE_FROM_GOODAOL
describe  SARE_FROM_BADAOL         From an Invalid AOL Email Address
score     SARE_FROM_BADAOL         1.666
#hist     SARE_FROM_BADAOL         KAM.COMBO_BADAOL Originally submitted by from Kevin A. McGrail 
#hist     SARE_FROM_BADAOL         Rule based on Kelson Vibber's MD code for bogus AOL Addresses
#hist     SARE_FROM_BADAOL         Check for bogus AOL addresses as described at
#hist     SARE_FROM_BADAOL         http://postmaster.aol.com/faq/mailerfaq.html#syntax
#hist     SARE_FROM_BADAOL         Rule for good addresses: all alphanumeric, starting with a letter, from 3 to 16 characters long.
#note     SARE_FROM_BADAOL         __AOL_FROM is SA Distrib rule
#counts   SARE_FROM_BADAOL         226s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_FROM_BADAOL         359s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
#counts   SARE_FROM_BADAOL         30s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_FROM_BADAOL         51s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
#counts   SARE_FROM_BADAOL         1s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
#max      SARE_FROM_BADAOL         10s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_FROM_BADAOL         0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_FROM_BADAOL         4s/0h of 7500 corpus (1767s/5733h ft) 09/18/05

header    SARE_FROM_DRUGS          From =~ /\b(?:cialis|levitra|phentermine|valium|viagra|vicodin|xanax)\b/i
describe  SARE_FROM_DRUGS          From a drug
score     SARE_FROM_DRUGS          1.666
#hist     SARE_FROM_DRUGS          Bob Menschel May 14 2005, from sample provided by Joanne Dow
#hist     SARE_FROM_DRUGS          Split SOMA to new SARE_FROM_DRUGS2 rule because of ham.
#counts   SARE_FROM_DRUGS          243s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_FROM_DRUGS          753s/0h of 272483 corpus (108035s/164448h RM) 05/15/05
#counts   SARE_FROM_DRUGS          0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_FROM_DRUGS          17s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_FROM_DRUGS          2s/0h of 5653 corpus (1019s/4634h ft) 06/04/05
#counts   SARE_FROM_DRUGS          72s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#max      SARE_FROM_DRUGS          108s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
#counts   SARE_FROM_DRUGS          7s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05

header    SARE_FROM_HOODIA         From =~ /"Hoodia/i
describe  SARE_FROM_HOODIA         From who do ya say?
score     SARE_FROM_HOODIA         1.666
#stype    SARE_FRMO_HOODIA         spamg
#hist     SARE_FROM_HOODIA         Loren Wilton, Sept 2005
#counts   SARE_FROM_HOODIA         45s/0h of 659759 corpus (325842s/333917h RM) 09/20/05
#counts   SARE_FROM_HOODIA         31s/0h of 56592 corpus (51660s/4932h MY) 09/22/05
#counts   SARE_FROM_HOODIA         1s/0h of 10551 corpus (5780s/4771h CT) 09/18/05

header    SARE_FROM_PAYPAL_INV     From =~ /(?:admin|services|support|update|verification)\@paypal.com/i 
describe  SARE_FROM_PAYPAL_INV     From invalid address at PayPal
score     SARE_FROM_PAYPAL_INV     1.111
#stype    SARE_FROM_PAYPAL_INV     spamp
#hist     SARE_FROM_PAYPAL_INV     Created by Bob Menschel Sep 24 2004
#counts   SARE_FROM_PAYPAL_INV     27s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_FROM_PAYPAL_INV     39s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
#counts   SARE_FROM_PAYPAL_INV     1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_FROM_PAYPAL_INV     0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_FROM_PAYPAL_INV     1s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#counts   SARE_FROM_PAYPAL_INV     0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_FROM_SPAM_NAME2     From =~ /(?:Dating Tips|Email-Gallery|everyday-solution|Free Credit Report|FreebieFix|Long Distance|medmicro|Shape Solutions|TMobile Authorized Dealer|TheGolfWarehouses|Typing Teacher|Value Center|freePriority Shipping|funpage|koldny|propecia|thedailyfreesamples)/i
describe  SARE_FROM_SPAM_NAME2     From address suggests this is spam
score     SARE_FROM_SPAM_NAME2     1.666
#stype    SARE_FROM_SPAM_NAME2     spamp
#hist     SARE_FROM_SPAM_NAME2     COMBINED.FROM and other sources
#counts   SARE_FROM_SPAM_NAME2     140s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_FROM_SPAM_NAME2     0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_FROM_SPAM_NAME2     1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_FROM_SPAM_NAME2     3s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#max      SARE_FROM_SPAM_NAME2     16s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_FROM_SPAM_NAME2     0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_FROM_SPAM_NAME2     0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_FROM_WSJ            From:name =~ /Wall Street (?:News Alert|Journal Online|Stock Wizard|Detective|Universe|Update|Chronicle)/i
score     SARE_FROM_WSJ            1.666
#hist     SARE_FROM_WSJ            Matt Yackley, Apr 15 2005, expanded by Bob Menschel
#counts   SARE_FROM_WSJ            77s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_FROM_WSJ            86s/0h of 259338 corpus (110116s/149222h RM) 05/16/05
#counts   SARE_FROM_WSJ            2s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#counts   SARE_FROM_WSJ            11s/0h of 5653 corpus (1019s/4634h ft) 06/04/05
#counts   SARE_FROM_WSJ            258s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#counts   SARE_FROM_WSJ            0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05

#####################################################################################
#         SARE From Rules -- Emails coming from free webmail accounts
#         Since spam from these can vary depending upon country of origin, 
#         country of destination, policies, and enforcement of policies, 
#         most of these are kept as separate rules rather than combined. 
########  ######################   ##################################################

header    SARE_FREE_WEBM_COMWALL   From =~ /\@walla\.com/i
describe  SARE_FREE_WEBM_COMWALL   Maybe spammer with free email
score     SARE_FREE_WEBM_COMWALL   1.666
#hist     SARE_FREE_WEBM_COMWALL   Created by Bob Menschel Sep 26 2004
#counts   SARE_FREE_WEBM_COMWALL   851s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_FREE_WEBM_COMWALL   18s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_FREE_WEBM_COMWALL   10s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#max      SARE_FREE_WEBM_COMWALL   13s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_FREE_WEBM_COMWALL   1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_FREE_WEBM_COMWALL   1s/0h of 6924 corpus (1403s/5521h ft) 07/27/05

header    SARE_FREE_WEBM_Dora      From =~ /\bdoramail\.com/i
describe  SARE_FREE_WEBM_Dora      Sender used free email account - may be spammer 
score     SARE_FREE_WEBM_Dora      1.666
#counts   SARE_FREE_WEBM_Dora      182s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_FREE_WEBM_Dora      9s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_FREE_WEBM_Dora      20s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_FREE_WEBM_Dora      18s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#max      SARE_FREE_WEBM_Dora      21s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
#counts   SARE_FREE_WEBM_Dora      10s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_FREE_WEBM_Dora      20s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_FREE_WEBM_Dora      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_FROM_WEBM_ERESMAS   From =~ /eresmas\.com/i
describe  SARE_FROM_WEBM_ERESMAS   Probable spammer
score     SARE_FROM_WEBM_ERESMAS   1.666
#hist     SARE_FROM_WEBM_ERESMAS   Bob Menschel May 14 2005
#counts   SARE_FROM_WEBM_ERESMAS   113s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_FROM_WEBM_ERESMAS   619s/0h of 274235 corpus (109066s/165169h RM) 05/15/05
#counts   SARE_FROM_WEBM_ERESMAS   13s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#counts   SARE_FROM_WEBM_ERESMAS   1s/0h of 5653 corpus (1019s/4634h ft) 06/04/05
#counts   SARE_FROM_WEBM_ERESMAS   26s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#counts   SARE_FROM_WEBM_ERESMAS   7s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05

header    SARE_FREE_WEBM_EsTerra   From =~ /\bterra\.es/i
describe  SARE_FREE_WEBM_EsTerra   Sender used free email account - may be spammer
score     SARE_FREE_WEBM_EsTerra   1.666
#counts   SARE_FREE_WEBM_EsTerra   142s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_FREE_WEBM_EsTerra   228s/0h of 274235 corpus (109066s/165169h RM) 05/15/05
#counts   SARE_FREE_WEBM_EsTerra   8s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_FREE_WEBM_EsTerra   6s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_FREE_WEBM_EsTerra   2s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_FREE_WEBM_EsTerra   0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_FREE_WEBM_Kero      From =~ /\bKeromail\.com/i
describe  SARE_FREE_WEBM_Kero      Sender used free email account - may be spammer
score     SARE_FREE_WEBM_Kero      0.950
#counts   SARE_FREE_WEBM_Kero      29s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_FREE_WEBM_Kero      46s/0h of 97268 corpus (79437s/17831h RM) 01/24/04
#counts   SARE_FREE_WEBM_Kero      5s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#max      SARE_FREE_WEBM_Kero      12s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
#counts   SARE_FREE_WEBM_Kero      7s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_FREE_WEBM_Kero      6s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#counts   SARE_FREE_WEBM_Kero      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_FREE_WEBM_LATINML   From =~ /\@latinmail\.com/i
describe  SARE_FREE_WEBM_LATINML   Maybe spammer with free email
score     SARE_FREE_WEBM_LATINML   1.666
#hist     SARE_FREE_WEBM_LATINML   Created by Bob Menschel Sep 28 2004
#counts   SARE_FREE_WEBM_LATINML   124s/1h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_FREE_WEBM_LATINML   296s/0h of 275081 corpus (134226s/140855h RM) 05/30/05
#counts   SARE_FREE_WEBM_LATINML   18s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_FREE_WEBM_LATINML   19s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_FREE_WEBM_LATINML   7s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#counts   SARE_FREE_WEBM_LATINML   0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_FREE_WEBM_LATINML   1s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_FREE_WEBM_LATINML   0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_FREE_WEBM_OwnEm1    From =~ /\@(?:ownemail|akkadian|alarmists|armymail|arsed|astromail|barefooted|bellybuster|bemused|bigisbeautiful|bigisbetter|bigsecret|blag|blahdeblah|blowitup|boardmaster|bobbles|boster|brutes|buttonpushers|chalky|changeplace|charlies|chasing|cherrycola|chewies|chocolatejunkies|clubfever|codemaster|creaky|crumbly|currymonster|cutemail|darkcorner|darkplace|daydreamer|deepdesire|desilver|diddled|djsuperstars|doleoffice|dotters|downboy|ducktail|elitists|emergencymail)\.com/i
describe  SARE_FREE_WEBM_OwnEm1    Sender used free email account - may be spammer
#describ  SARE_FREE_WEBM_OwnEm1    These are all aliases of the OwnEmail.Com service, from which we get spam. 
score     SARE_FREE_WEBM_OwnEm1    1.666
#note     SARE_FREE_WEBM_OwnEm1    The SARE_FREE_WEBM_OWNEMn rules all apply to the same webmail host -- score identically as long as no ham match.
#counts   SARE_FREE_WEBM_OwnEm1    11s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_FREE_WEBM_OwnEm1    159s/0h of 115937 corpus (94614s/21323h) 04/29/04
#counts   SARE_FREE_WEBM_OwnEm1    9s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_FREE_WEBM_OwnEm1    19s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
#counts   SARE_FREE_WEBM_OwnEm1    31s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#max      SARE_FREE_WEBM_OwnEm1    35s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_FREE_WEBM_OwnEm1    3s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_FREE_WEBM_OwnEm1    6s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_FREE_WEBM_OwnEm1    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_FREE_WEBM_OwnEm2    From =~ /\@(?:fairyqueen|fantasyforce|fastbowler|firelord|fynns|gameaddict|gobby|hothatches|kickedout|kred|lemonmail|liquidlunch|lovesecrets|luckster|lucys|madder|makethebreak|manmachine|mippy|misssporty|mistersporty|mrlottery|mrsporty|nagging|naseem|nicked|ownplace|pammy|poppet|qualitymail|r-a-v-e|raddled|ribber|shearer|slouching|spoofer|stalkers|sthelens|stubby|sunstertacomail|taureans|tenderkiss|thearchway|thebrewer|thecutest|thelostworld|tiggy|tizzi|tosser|trilby)\.com/i
describe  SARE_FREE_WEBM_OwnEm2    Sender used free email account - may be spammer
score     SARE_FREE_WEBM_OwnEm2    1.666
#note     SARE_FREE_WEBM_OWNEm2    The SARE_FREE_WEBM_OWNEMn rules all apply to the same webmail host -- score identically as long as no ham match.
#counts   SARE_FREE_WEBM_OwnEm2    12s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
#max      SARE_FREE_WEBM_OwnEm2    153s/0h of 115937 corpus (94614s/21323h) 04/29/04
#counts   SARE_FREE_WEBM_OwnEm2    7s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_FREE_WEBM_OwnEm2    8s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
#counts   SARE_FREE_WEBM_OwnEm2    35s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#counts   SARE_FREE_WEBM_OwnEm2    5s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#counts   SARE_FREE_WEBM_OwnEm2    2s/0h of 7500 corpus (1767s/5733h ft) 09/18/05

header    SARE_FREE_WEBM_Uymail    From =~ /\buymail\.com/i
describe  SARE_FREE_WEBM_Uymail    Sender used free email account - may be spammer
score     SARE_FREE_WEBM_Uymail    1.228
#counts   SARE_FREE_WEBM_Uymail    22s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_FREE_WEBM_Uymail    103s/0h of 125163 corpus (104972s/20191h) 03/28/04
#counts   SARE_FREE_WEBM_Uymail    13s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_FREE_WEBM_Uymail    1s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
#max      SARE_FREE_WEBM_Uymail    4s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_FREE_WEBM_Uymail    1s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_FREE_WEBM_Uymail    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_FREE_WEBM_Zwallet   From =~ /\bzwallet\.com/i
describe  SARE_FREE_WEBM_Zwallet   Sender used free email account - may be spammer
score     SARE_FREE_WEBM_Zwallet   1.666
#counts   SARE_FREE_WEBM_Zwallet   241s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_FREE_WEBM_Zwallet   7s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_FREE_WEBM_Zwallet   8s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_FREE_WEBM_Zwallet   3s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#counts   SARE_FREE_WEBM_Zwallet   0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_FREE_WEBM_Zwallet   11s/0h of 5653 corpus (1019s/4634h ft) 06/04/05

#####################################################################################
#         SARE Message-ID rules
########  ######################   ##################################################

header    SARE_MSGID_1Z1Z          MESSAGEID =~ /<1z.+\@1z/
describe  SARE_MSGID_1Z1Z          Message-ID has ratware pattern (1zXXXX@1z)
score     SARE_MSGID_1Z1Z          2.222
#counts   SARE_MSGID_1Z1Z          978s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_MSGID_1Z1Z          0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#max      SARE_MSGID_1Z1Z          94s/0h of 38374 corpus (14893s/23481h JH-SA3.0rc1) 08/18/04
#counts   SARE_MSGID_1Z1Z          527s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#counts   SARE_MSGID_1Z1Z          0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_MSGID_1Z1Z          1s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_MSGID_HEX30         MESSAGEID =~ /<[A-Z0-9]{30}\$[0-9a-z]{9}\@/
describe  SARE_MSGID_HEX30         Message-ID has ratware pattern (HEXHEXHEX$9x9@)
score     SARE_MSGID_HEX30         1.666
#counts   SARE_MSGID_HEX30         18s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#counts   SARE_MSGID_HEX30         235s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#counts   SARE_MSGID_HEX30         2s/0h of 6924 corpus (1403s/5521h ft) 07/27/05
#counts   SARE_MSGID_HEX30         0s/0h of 38374 corpus (14893s/23481h JH-SA3.0rc1) 08/18/04
#counts   SARE_MSGID_HEX30         0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05

#####################################################################################
#         SARE Received Header Rules
########  ######################   ##################################################

header    SARE_HELO_MAILUSER       Received =~ /helo=MailUser\)/i
describe  SARE_HELO_MAILUSER       Received header has possible spamsign
score     SARE_HELO_MAILUSER       1.111
#stype    SARE_HELO_MAILUSER       spamp
#hist     SARE_HELO_MAILUSER       Created by Bob Menschel May 31 2004
#counts   SARE_HELO_MAILUSER       7s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
#max      SARE_HELO_MAILUSER       12s/0h of 298277 corpus (136400s/161877h RM) 06/06/05
#counts   SARE_HELO_MAILUSER       0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
#counts   SARE_HELO_MAILUSER       0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_HELO_MAILUSER       0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HELO_MAILUSER       0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_LOCALHOST      Received =~ /localhosts\.txt/i
describe  SARE_RECV_LOCALHOST      fingerprint
score     SARE_RECV_LOCALHOST      1.111
#stype    SARE_RECV_LOCALHOST      spamp
#hist     SARE_RECV_LOCALHOST      Alex Broens, June 2005
#counts   SARE_RECV_LOCALHOST      1s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_RECV_LOCALHOST      77s/0h of 271461 corpus (129860s/141601h RM) 06/12/05
#counts   SARE_RECV_LOCALHOST      0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
#counts   SARE_RECV_LOCALHOST      0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05

header    SARE_RECV_SUSP_2         Received =~ /from\s+[A-Z0-9]+\s+\(\[10\.2\.202\.25\]\)\s+by\s+[A-Z0-9]+\.[a-z]+/
describe  SARE_RECV_SUSP_2         Spammer sign in headers
score     SARE_RECV_SUSP_2         1.666
#hist     SARE_RECV_SUSP_2         LW_RATWARE1
#counts   SARE_RECV_SUSP_2         31s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_RECV_SUSP_2         69s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
#counts   SARE_RECV_SUSP_2         31s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_RECV_SUSP_2         124s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
#counts   SARE_RECV_SUSP_2         1s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_RECV_SUSP_2         4s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_RECV_SUSP_2         8s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_SUSP_2         0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_TRADVALUES     Received =~ /\btraditionalvalues\.org/i
describe  SARE_RECV_TRADVALUES     From or passed through spammer/unreliable domain
score     SARE_RECV_TRADVALUES     3.333  
#stype    SARE_RECV_TRADVALUES     spamgg
#hist     SARE_RECV_TRADVALUES     RM_hr_tradvalues
#counts   SARE_RECV_TRADVALUES     79s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_RECV_TRADVALUES     97s/0h of 271461 corpus (129860s/141601h RM) 06/12/05
#counts   SARE_RECV_TRADVALUES     0s/0h of 18651 corpus (16120s/2531h MY) 08/29/04
#counts   SARE_RECV_TRADVALUES     0s/0h of 38751 corpus (15270s/23481h JH-SA3.0rc1) 08/30/04
#counts   SARE_RECV_TRADVALUES     0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_TRADVALUES     0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_VIPLIST        Received =~ /\b(?:viplist\.us|\[216.74.127.234\])/
describe  SARE_RECV_VIPLIST        Email comes from known spammer system 
score     SARE_RECV_VIPLIST        4.000  
#stype    SARE_RECV_VIPLIST        spamggg
#hist     SARE_RECV_VIPLIST        Created by Bob Menschel Sep 29 2004
#counts   SARE_RECV_VIPLIST        46s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_RECV_VIPLIST        255s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
#counts   SARE_RECV_VIPLIST        0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_RECV_VIPLIST        0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_RECV_VIPLIST        0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_VIPLIST        0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_XACTRIX        Received =~ /\b(?:accutra|xactrix)\.com/i
describe  SARE_RECV_XACTRIX        From/through probable spammer system 
score     SARE_RECV_XACTRIX        2.500  
#stype    SARE_RECV_XACTRIX        spamg
#hist     SARE_RECV_XACTRIX        Created by Bob Menschel Sep 03 2004
#counts   SARE_RECV_XACTRIX        0s/0h of 280812 corpus (109490s/171322h RM) 05/05/05
#max      SARE_RECV_XACTRIX        11s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
#counts   SARE_RECV_XACTRIX        0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_RECV_XACTRIX        12s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#max      SARE_RECV_XACTRIX        21s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_RECV_XACTRIX        0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_XACTRIX        0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

#####################################################################################
#         SARE Received Header IP Address Rules
########  ######################   ##################################################

header    SARE_RECV_IP_004078      Received =~ /\[4\.78\.193\.\d{1,3}\]/
describe  SARE_RECV_IP_004078      Spam passed through possible spammer relay
score     SARE_RECV_IP_004078      1.666 
#hist     SARE_RECV_IP_004078      Created by Bob Menschel Feb 5 2005 from Spam-L information
#note     SARE_RECV_IP_004078      CWIE, LLC
#counts   SARE_RECV_IP_004078      0s/0h of 95095 corpus (59680s/35415h RM) 02/05/05
#counts   SARE_RECV_IP_004078      0s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05
#counts   SARE_RECV_IP_004078      347s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#max      SARE_RECV_IP_004078      397s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_RECV_IP_004078      0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_004078      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_038112147   Received =~ /\[38\.112\.147\.\d{1,3}\]/
describe  SARE_RECV_IP_038112147   Spam passed through possible spammer relay
score     SARE_RECV_IP_038112147   1.111
#stype    SARE_RECV_IP_038112147   spamp
#hist     SARE_RECV_IP_038112147   Created by Bob Menschel, Feb 19 2005, from Spam-L posting
#counts   SARE_RECV_IP_038112147   0s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
#max      SARE_RECV_IP_038112147   66s/0h of 283497 corpus (129933s/153564h RM) 03/08/05
#counts   SARE_RECV_IP_038112147   0s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05
#counts   SARE_RECV_IP_038112147   3s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#max      SARE_RECV_IP_038112147   3s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
#counts   SARE_RECV_IP_038112147   0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_038112147   0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_061052      Received =~ /\[61\.5[2-4]\.\d{1,3}\.\d{1,3}\]/
describe  SARE_RECV_IP_061052      Spam passed through possible spammer relay
score     SARE_RECV_IP_061052      1.666  
#stype    SARE_RECV_IP_061052      spamp 
#hist     SARE_RECV_IP_061052      Created by Bob Menschel May 10 2004
#counts   SARE_RECV_IP_061052      410s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_IP_061052      16s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_RECV_IP_061052      25s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
#counts   SARE_RECV_IP_061052      13s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#max      SARE_RECV_IP_061052      15s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
#counts   SARE_RECV_IP_061052      18s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_RECV_IP_061052      19s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_RECV_IP_061052      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_061172      Received =~ /\[61\.17[23]\.\d{1,3}\.\d{1,3}\]/
describe  SARE_RECV_IP_061172      Spam passed through possible spammer relay
score     SARE_RECV_IP_061172      1.666
#stype    SARE_RECV_IP_061172      spamp 
#counts   SARE_RECV_IP_061172      206s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_RECV_IP_061172      305s/0h of 119325 corpus (98981s/20344h) 03/22/04
#counts   SARE_RECV_IP_061172      13s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_RECV_IP_061172      27s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
#counts   SARE_RECV_IP_061172      276s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_RECV_IP_061172      45s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#counts   SARE_RECV_IP_061172      1s/0h of 5653 corpus (1019s/4634h ft) 06/04/05

header    SARE_RECV_IP_063106130   Received =~ /\[63\.106\.130\.\d{1,3}\]/
describe  SARE_RECV_IP_063106130   Spam passed through possible spammer relay
score     SARE_RECV_IP_063106130   1.111  
#stype    SARE_RECV_IP_063106130   spamp 
#hist     SARE_RECV_IP_063106130   Created by Bob Menschel May 14 2005
#note     SARE_RECV_IP_063106130   Data Depot LLC
#counts   SARE_RECV_IP_063106130   5s/0h of 298277 corpus (136400s/161877h RM) 06/06/05
#max      SARE_RECV_IP_063106130   15s/0h of 272483 corpus (108035s/164448h RM) 05/15/05
#counts   SARE_RECV_IP_063106130   0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_063106130   0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
#counts   SARE_RECV_IP_063106130   0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_RECV_IP_063106130   1s/0h of 47809 corpus (43224s/4585h MY) 07/27/05

header    SARE_RECV_IP_064069032   Received =~ /\[64\.69\.32\.\d{1,3}\]/
describe  SARE_RECV_IP_064069032   Spam passed through possible spammer relay
score     SARE_RECV_IP_064069032   1.111  
#stype    SARE_RECV_IP_064069032   spamp 
#hist     SARE_RECV_IP_064069032   Created by Bob Menschel Aug 07 2005
#counts   SARE_RECV_IP_064069032   13s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_IP_064069032   0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
#counts   SARE_RECV_IP_064069032   0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05

header    SARE_RECV_IP_064192082   received =~ /\[64\.192\.8[23]\.\d{1,3}\]/
describe  SARE_RECV_IP_064192082   Spam passed through possible spammer relay
score     SARE_RECV_IP_064192082   1.111
#stype    SARE_RECV_IP_064192082   spamp
#hist     SARE_RECV_IP_064192082   Created by Bob Menschel Jan 29 2005 from info supplied via Spam-L
#counts   SARE_RECV_IP_064192082   0s/0h of 98352 corpus (59690s/38662h RM) 01/29/05
#counts   SARE_RECV_IP_064192082   0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_RECV_IP_064192082   9s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#max      SARE_RECV_IP_064192082   39s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_RECV_IP_064192082   0s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_RECV_IP_064192082   0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_066059094   Received =~ /\[66\.59\.94\.\d{1,3}\]/
describe  SARE_RECV_IP_066059094   Spam passed through possible spammer relay
score     SARE_RECV_IP_066059094   2.333 
#hist     SARE_RECV_IP_066059094   Created by Bob Menschel Aug 07 2005
#counts   SARE_RECV_IP_066059094   2505s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_IP_066059094   0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
#counts   SARE_RECV_IP_066059094   0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05

header    SARE_RECV_IP_066063      Received =~ /\[66\.63\.178\.\d{1,3}\]/
describe  SARE_RECV_IP_066063      Passed through possible spammer relay or source
score     SARE_RECV_IP_066063      1.111
#stype    SARE_RECV_IP_066063      spamp
#hist     SARE_RECV_IP_066063      Created by Bob Menschel Feb 10 2005 from Spam-L info
#counts   SARE_RECV_IP_066063      0s/0h of 118836 corpus (71083s/47753h RM) 02/10/05
#counts   SARE_RECV_IP_066063      0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
#counts   SARE_RECV_IP_066063      21s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_RECV_IP_066063      0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_066063      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_066114a     Received =~ /\[66\.114\.217\.\d{1,3}\]/
describe  SARE_RECV_IP_066114a     Spam passed through possible spammer relay
score     SARE_RECV_IP_066114a     1.111  
#stype    SARE_RECV_IP_066114a     spamp 
#hist     SARE_RECV_IP_066114a     Created by Bob Menschel Feb 5 2005 from Spam-L info
#note     SARE_RECV_IP_066114a     SW FLA Hosting
#counts   SARE_RECV_IP_066114a     0s/0h of 275081 corpus (134226s/140855h RM) 05/30/05
#max      SARE_RECV_IP_066114a     27s/0h of 238550 corpus (112525s/126025h RM) 02/28/05
#counts   SARE_RECV_IP_066114a     0s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05
#counts   SARE_RECV_IP_066114a     13s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_RECV_IP_066114a     0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_066114a     0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_066159017   Received =~ /\[66\.159\.17\.8[4-7]\]/
describe  SARE_RECV_IP_066159017   Spam passed through possible spammer relay
score     SARE_RECV_IP_066159017   1.666  
#hist     SARE_RECV_IP_066159017   Created by Bob Menschel Aug 07 2005
#counts   SARE_RECV_IP_066159017   219s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_IP_066159017   0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
#counts   SARE_RECV_IP_066159017   0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05

header    SARE_RECV_IP_069060122   Received =~ /\[69\.60\.122\.\d{1,3}\]/
describe  SARE_RECV_IP_069060122   Spam passed through possible spammer relay
score     SARE_RECV_IP_069060122   1.111  
#stype    SARE_RECV_IP_069060122   spamp 
#hist     SARE_RECV_IP_069060122   Created by Bob Menschel May 14 2005
#counts   SARE_RECV_IP_069060122   28s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_IP_069060122   0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_069060122   3s/0h of 47809 corpus (43224s/4585h MY) 07/27/05

header    SARE_RECV_IP_070096177   Received =~ /\[70\.96\.177\.\d{1,3}\]/
describe  SARE_RECV_IP_070096177   Spam passed through possible spammer relay
score     SARE_RECV_IP_070096177   1.666  
#stype    SARE_RECV_IP_070096177   spamp 
#hist     SARE_RECV_IP_070096177   Created by Bob Menschel May 14 2005
#note     SARE_RECV_IP_070096177   Broadlogix
#counts   SARE_RECV_IP_070096177   0s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
#max      SARE_RECV_IP_070096177   78s/0h of 275081 corpus (134226s/140855h RM) 05/30/05
#counts   SARE_RECV_IP_070096177   0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_070096177   0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
#counts   SARE_RECV_IP_070096177   48s/0h of 47283 corpus (43206s/4077h MY) 06/05/05

header    SARE_RECV_IP_071004200   Received =~ /\[71\.4\.2\d\d\.\d{1,3}\]/
describe  SARE_RECV_IP_071004200   Spam passed through possible spammer relay
score     SARE_RECV_IP_071004200   1.666  
#stype    SARE_RECV_IP_071004200   spamp 
#hist     SARE_RECV_IP_071004200   Created by Bob Menschel May 14 2005
#counts   SARE_RECV_IP_071004200   17s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_RECV_IP_071004200   51s/0h of 275081 corpus (134226s/140855h RM) 05/30/05
#counts   SARE_RECV_IP_071004200   0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_071004200   298s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#counts   SARE_RECV_IP_071004200   1s/0h of 6924 corpus (1403s/5521h ft) 07/27/05

header    SARE_RECV_IP_072034096   Received =~ /\[72\.34\.(?:9[6-9]|1(?:0\d|1[01]))\.\d{1,3}\]/
describe  SARE_RECV_IP_072034096   Spam passed through possible spammer relay
score     SARE_RECV_IP_072034096   1.666  
#stype    SARE_RECV_IP_072034096   spamp 
#hist     SARE_RECV_IP_072034096   Created by Bob Menschel May 14 2005
#note     SARE_RECV_IP_072034096   Race Technologies
#counts   SARE_RECV_IP_072034096   4s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_RECV_IP_072034096   255s/0h of 272483 corpus (108035s/164448h RM) 05/15/05
#counts   SARE_RECV_IP_072034096   0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_072034096   0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
#counts   SARE_RECV_IP_072034096   4s/0h of 47809 corpus (43224s/4585h MY) 07/27/05

header    SARE_RECV_IP_204010039   Received =~ /\[204\.10\.39\.(?:3[2-9]|[45]\d|6[0-3])\]/
describe  SARE_RECV_IP_204010039   Spam passed through possible spammer relay
score     SARE_RECV_IP_204010039   1.111  
#stype    SARE_RECV_IP_204010039   spamp 
#hist     SARE_RECV_IP_204010039   Created by Bob Menschel Aug 07 2005
#note     SARE_RECV_IP_204010039   Strategic Impact Concepts
#counts   SARE_RECV_IP_204010039   34s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_IP_204010039   0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
#counts   SARE_RECV_IP_204010039   0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05

header    SARE_RECV_IP_206081080   received =~ /\[206\.81\.(?:8\d|9[0-5])\.\d{1,3}\]/
describe  SARE_RECV_IP_206081080   Spam passed through possible spammer relay
score     SARE_RECV_IP_206081080   1.666
#stype    SARE_RECV_IP_206081080   spamp
#hist     SARE_RECV_IP_206081080   Created by Bob Menschel Jan 29 2005 from info supplied via Spam-L
#counts   SARE_RECV_IP_206081080   4s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_RECV_IP_206081080   32s/0h of 283497 corpus (129933s/153564h RM) 03/08/05
#counts   SARE_RECV_IP_206081080   1s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_RECV_IP_206081080   2s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_RECV_IP_206081080   80s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#max      SARE_RECV_IP_206081080   152s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
#counts   SARE_RECV_IP_206081080   0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_206081080   0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_207182      Received =~ /\[207\.182\.146\.(?:19[2-9]|2\d{2})\]/
describe  SARE_RECV_IP_207182      Passed through possible spammer relay or source
score     SARE_RECV_IP_207182      1.666
#stype    SARE_RECV_IP_207182      spamp
#hist     SARE_RECV_IP_207182      Created by Bob Menschel Feb 10 2005 from Spam-L info
#counts   SARE_RECV_IP_207182      0s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
#max      SARE_RECV_IP_207182      26s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
#counts   SARE_RECV_IP_207182      71s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_RECV_IP_207182      20s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#max      SARE_RECV_IP_207182      57s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
#counts   SARE_RECV_IP_207182      0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_207182      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_208048182   Received =~ /\[208.48\.182\.\d{1,3}\]/
describe  SARE_RECV_IP_208048182   Spam passed through possible spammer relay
score     SARE_RECV_IP_208048182   1.111  
#stype    SARE_RECV_IP_208048182   spamp 
#hist     SARE_RECV_IP_208048182   Created by Bob Menschel May 14 2005
#counts   SARE_RECV_IP_208048182   0s/0h of 274235 corpus (109066s/165169h RM) 05/15/05
#counts   SARE_RECV_IP_208048182   0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_208048182   36s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#max      SARE_RECV_IP_208048182   43s/0h of 45478 corpus (41529s/3949h MY) 05/16/05

header    SARE_RECV_IP_208053011   Received =~ /\[208\.53\.11\.\d{1,3}\]/
describe  SARE_RECV_IP_208053011   Spam passed through possible spammer relay
score     SARE_RECV_IP_208053011   1.666  
#stype    SARE_RECV_IP_208053011   spamp 
#hist     SARE_RECV_IP_208053011   Created by Bob Menschel May 14 2005
#note     SARE_RECV_IP_208053011   Advanced Dedicated Database Servers LLC
#counts   SARE_RECV_IP_208053011   1s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
#max      SARE_RECV_IP_208053011   5s/0h of 259338 corpus (110116s/149222h RM) 05/16/05
#counts   SARE_RECV_IP_208053011   0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_208053011   17s/0h of 47809 corpus (43224s/4585h MY) 07/27/05

header    SARE_RECV_IP_216055133   Received =~ /\[216\.55\.133\.\d{1,3}\]/
describe  SARE_RECV_IP_216055133   Spam passed through possible spammer relay
score     SARE_RECV_IP_216055133   1.111
#stype    SARE_RECV_IP_216055133   spamp 
#hist     SARE_RECV_IP_216055133   Created by Bob Menschel May 14 2005
#counts   SARE_RECV_IP_216055133   0s/0h of 274235 corpus (109066s/165169h RM) 05/15/05
#counts   SARE_RECV_IP_216055133   0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_216055133   1s/0h of 2500 corpus (531s/1969h ft) 05/17/05
#counts   SARE_RECV_IP_216055133   15s/0h of 45478 corpus (41529s/3949h MY) 05/16/05

header    SARE_RECV_IP_218011      Received =~ /\[218\.1[12]\.\d{1,3}\.\d{1,3}\]/
describe  SARE_RECV_IP_218011      Spam passed through Chinese CNCGROUP-HE system
score     SARE_RECV_IP_218011      1.666
#stype    SARE_RECV_IP_218011      spamp
#counts   SARE_RECV_IP_218011      60s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_RECV_IP_218011      149s/0h of 97268 corpus (79437s/17831h RM) 01/24/04
#counts   SARE_RECV_IP_218011      22s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_RECV_IP_218011      6s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#counts   SARE_RECV_IP_218011      5s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_RECV_IP_218011      9s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_RECV_IP_218011      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_218062      Received =~ /\[218\.6[23]\.\d{1,3}\.\d{1,3}\]/
describe  SARE_RECV_IP_218062      Passed through possible spammer relay or source
score     SARE_RECV_IP_218062      1.111
#stype    SARE_RECV_IP_218062      spamp
#hist     SARE_RECV_IP_218062      Created by Bob Menschel Aug 09 2004
#counts   SARE_RECV_IP_218062      55s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_IP_218062      8s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_RECV_IP_218062      5s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#counts   SARE_RECV_IP_218062      3s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_RECV_IP_218062      5s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_218062      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_218071      Received =~ /\[218\.71\.\d{1,3}\.\d{1,3}\]/
describe  SARE_RECV_IP_218071      Spam passed through possible spammer relay
score     SARE_RECV_IP_218071      1.666
#hist     SARE_RECV_IP_218071      Created by Bob Menschel Apr 04 2004
#counts   SARE_RECV_IP_218071      160s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#counts   SARE_RECV_IP_218071      16s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_RECV_IP_218071      126s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
#counts   SARE_RECV_IP_218071      2s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#max      SARE_RECV_IP_218071      5s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_RECV_IP_218071      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_218085      Received =~ /\[218\.8[56]\.\d{1,3}\.\d{1,3}\]/
describe  SARE_RECV_IP_218085      Passed through possible spammer relay or source
score     SARE_RECV_IP_218085      1.666 
#stype    SARE_RECV_IP_218085      spamp
#hist     SARE_RECV_IP_218085      Created by Bob Menschel Aug 23 2004
#counts   SARE_RECV_IP_218085      122s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_IP_218085      14s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_RECV_IP_218085      17s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05
#counts   SARE_RECV_IP_218085      51s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#max      SARE_RECV_IP_218085      51s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
#counts   SARE_RECV_IP_218085      5s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
#max      SARE_RECV_IP_218085      8s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_RECV_IP_218085      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_219159      Received =~ /\[219\.159\.(?:6[4-9]|[7-9]\d|\d{3})\.\d{1,3}\]/
describe  SARE_RECV_IP_219159      Spam passed through possible spammer relay
score     SARE_RECV_IP_219159      1.111
#stype    SARE_RECV_IP_219159      spamp 
#hist     SARE_RECV_IP_219159      Created by Bob Menschel Apr 28 2004
#counts   SARE_RECV_IP_219159      52s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_IP_219159      2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_RECV_IP_219159      2s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
#counts   SARE_RECV_IP_219159      2s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_RECV_IP_219159      1s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_RECV_IP_219159      3s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_RECV_IP_219159      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_219248      Received =~ /\[219\.248\.\d{1,3}\.\d{1,3}\]/
describe  SARE_RECV_IP_219248      Passed through possible spammer relay or source
score     SARE_RECV_IP_219248      1.666  
#hist     SARE_RECV_IP_219248      Created by Bob Menschel Dec 09 2004
#note     SARE_RECV_IP_219248      Korea Network Information Center
#counts   SARE_RECV_IP_219248      325s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_IP_219248      30s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_RECV_IP_219248      11s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_RECV_IP_219248      7s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_RECV_IP_219248      19s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_RECV_IP_219248      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_220168      Received =~ /\[220\.1(?:6[89]|70)\.\d{1,3}\.\d{1,3}\]/
describe  SARE_RECV_IP_220168      Passed through possible spammer relay or source
score     SARE_RECV_IP_220168      1.666
#note     SARE_RECV_IP_220168      ChinaNet, Hunan Province
#hist     SARE_RECV_IP_220168      Created by Bob Menschel Nov 13 2004
#counts   SARE_RECV_IP_220168      85s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_RECV_IP_220168      104s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
#counts   SARE_RECV_IP_220168      19s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_RECV_IP_220168      111s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_RECV_IP_220168      2s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_RECV_IP_220168      9s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_RECV_IP_220168      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_220189      Received =~ /\[220\.189\.(?:\d|[1-5]\d|6[0-3])\.\d{1,3}\]/
describe  SARE_RECV_IP_220189      Passed through possible spammer relay or source
score     SARE_RECV_IP_220189      0.844 
#hist     SARE_RECV_IP_220189      Created by Bob Menschel May 1 2004
#counts   SARE_RECV_IP_220189      28s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_RECV_IP_220189      28s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
#counts   SARE_RECV_IP_220189      5s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_RECV_IP_220189      18s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
#max      SARE_RECV_IP_220189      18s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
#counts   SARE_RECV_IP_220189      1s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_RECV_IP_220189      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_221000      Received =~ /\[221\.[0-3]\.\d{1,3}\.\d{1,3}\]/
describe  SARE_RECV_IP_221000      Passed through possible spammer relay or source
score     SARE_RECV_IP_221000      1.433 
#hist     SARE_RECV_IP_221000      Created by Bob Menschel Jul 24 2004
#counts   SARE_RECV_IP_221000      117s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_IP_221000      13s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_RECV_IP_221000      24s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_RECV_IP_221000      0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_RECV_IP_221000      3s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_RECV_IP_221000      1s/0h of 7500 corpus (1767s/5733h ft) 09/18/05

header    SARE_RECV_IP_222032      Received =~ /\[222\.(?:3[2-9]|[45]\d|6[0-3])\.\d{1,3}\.\d{1,3}\]/
describe  SARE_RECV_IP_222032      Spam passed through possible spammer relay
score     SARE_RECV_IP_222032      2.222
#stype    SARE_RECV_IP_222032      spamp
#note     SARE_RECV_IP_222032      China Railway Telecommunications Center , Beijing
#hist     SARE_RECV_IP_222032      Created by Bob Menschel Feb 24 2005
#counts   SARE_RECV_IP_222032      1699s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_IP_222032      70s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_RECV_IP_222032      89s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_RECV_IP_222032      38s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_RECV_IP_222032      103s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_222032      2s/0h of 5653 corpus (1019s/4634h ft) 06/04/05

#####################################################################################
#         SARE Reply-To Header Rules 
########  ######################   ##################################################

header    SARE_REPLY_XACTRIX       Reply-To =~ /\b(?:accutra|xactrix)\.com/i
describe  SARE_REPLY_XACTRIX       Reply-To email addr to spammer
score     SARE_REPLY_XACTRIX       1.666
#stype    SARE_REPLY_XACTRIX       spamg
#hist     SARE_REPLY_XACTRIX       Created by Bob Menschel Sep 03 2004
#counts   SARE_REPLY_XACTRIX       0s/0h of 280812 corpus (109490s/171322h RM) 05/05/05
#max      SARE_REPLY_XACTRIX       11s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
#counts   SARE_REPLY_XACTRIX       0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_REPLY_XACTRIX       12s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#max      SARE_REPLY_XACTRIX       21s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_REPLY_XACTRIX       0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_REPLY_XACTRIX       0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

#####################################################################################
#         SARE To/Cc Destination rules
########  ######################   ##################################################

header    __SARE_TOCC_MULT_BIGFT5  ToCc =~ /(?:\@bigfoot.com\b.*){5}/i
meta      SARE_TOCC_MULT_BIGFT5    __SARE_TOCC_MULT_BIGFT5 && !( SARE_TOCC_MULT_BIGFT9 || SARE_TOCC_MULT_BIGFT8 || SARE_TOCC_MULT_BIGFT7 || SARE_TOCC_MULT_BIGFT6 )
describe  SARE_TOCC_MULT_BIGFT5    Sent to multiple bigfoot addresses
score     SARE_TOCC_MULT_BIGFT5    1.666
#hist     SARE_TOCC_MULT_BIGFT5    Created by Bob Menschel Apr 09 2004
#counts   SARE_TOCC_MULT_BIGFT5    42s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_TOCC_MULT_BIGFT5    271s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
#counts   SARE_TOCC_MULT_BIGFT5    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_TOCC_MULT_BIGFT5    0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_TOCC_MULT_BIGFT5    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_TOCC_MULT_BIGFT5    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    __SARE_TOCC_MULT_BIGFT6  ToCc =~ /(?:\@bigfoot.com\b.*){6}/i
meta      SARE_TOCC_MULT_BIGFT6    __SARE_TOCC_MULT_BIGFT6 && !( SARE_TOCC_MULT_BIGFT9 || SARE_TOCC_MULT_BIGFT8 || SARE_TOCC_MULT_BIGFT7 )
describe  SARE_TOCC_MULT_BIGFT6    Sent to multiple bigfoot addresses
score     SARE_TOCC_MULT_BIGFT6    1.666
#hist     SARE_TOCC_MULT_BIGFT6    Created by Bob Menschel Apr 09 2004
#counts   SARE_TOCC_MULT_BIGFT6    21s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_TOCC_MULT_BIGFT6    396s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
#counts   SARE_TOCC_MULT_BIGFT6    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_TOCC_MULT_BIGFT6    0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_TOCC_MULT_BIGFT6    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_TOCC_MULT_BIGFT6    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    __SARE_TOCC_MULT_BIGFT7  ToCc =~ /(?:\@bigfoot.com\b.*){7}/i
meta      SARE_TOCC_MULT_BIGFT7    __SARE_TOCC_MULT_BIGFT7 && !( SARE_TOCC_MULT_BIGFT9 || SARE_TOCC_MULT_BIGFT8 )
describe  SARE_TOCC_MULT_BIGFT7    Sent to multiple bigfoot addresses
score     SARE_TOCC_MULT_BIGFT7    1.122
#hist     SARE_TOCC_MULT_BIGFT7    Created by Bob Menschel Apr 09 2004
#counts   SARE_TOCC_MULT_BIGFT7    34s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_TOCC_MULT_BIGFT7    102s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
#counts   SARE_TOCC_MULT_BIGFT7    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_TOCC_MULT_BIGFT7    0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_TOCC_MULT_BIGFT7    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_TOCC_MULT_BIGFT7    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    __SARE_TOCC_MULT_BIGFT8  ToCc =~ /(?:\@bigfoot.com\b.*){8}/i
meta      SARE_TOCC_MULT_BIGFT8    __SARE_TOCC_MULT_BIGFT8 && !( SARE_TOCC_MULT_BIGFT9 )
describe  SARE_TOCC_MULT_BIGFT8    Sent to multiple bigfoot addresses
score     SARE_TOCC_MULT_BIGFT8    1.172
#stype    SARE_TOCC_MULT_BIGFT8    fixed
#hist     SARE_TOCC_MULT_BIGFT8    Created by Bob Menschel Apr 09 2004
#counts   SARE_TOCC_MULT_BIGFT8    25s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_TOCC_MULT_BIGFT8    111s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
#counts   SARE_TOCC_MULT_BIGFT8    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_TOCC_MULT_BIGFT8    0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_TOCC_MULT_BIGFT8    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_TOCC_MULT_BIGFT8    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_TOCC_MULT_BIGFT9    ToCc =~ /(?:\@bigfoot.com\b.*){9}/i
describe  SARE_TOCC_MULT_BIGFT9    Sent to multiple bigfoot addresses
score     SARE_TOCC_MULT_BIGFT9    1.666
#hist     SARE_TOCC_MULT_BIGFT9    Created by Bob Menschel Apr 09 2004
#counts   SARE_TOCC_MULT_BIGFT9    125s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_TOCC_MULT_BIGFT9    283s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
#counts   SARE_TOCC_MULT_BIGFT9    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_TOCC_MULT_BIGFT9    0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_TOCC_MULT_BIGFT9    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_TOCC_MULT_BIGFT9    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

#####################################################################################
#         SARE User-Agent rules
########  ######################   ##################################################

header    SARE_USERAG_2            User-Agent =~ /eGroups Message Poster/
describe  SARE_USERAG_2            Strange user-agent header implying spam 
score     SARE_USERAG_2            3.333
#stype    SARE_USERAG_2            spamgg 
#counts   SARE_USERAG_2            35s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_USERAG_2            57s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
#counts   SARE_USERAG_2            1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_USERAG_2            0s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#max      SARE_USERAG_2            2s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
#counts   SARE_USERAG_2            0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#max      SARE_USERAG_2            3s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_USERAG_2            0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_USERAG_3            User-Agent =~ /8.0 for Windows sub 6014/i
describe  SARE_USERAG_3            Strange user-agent header implying spam 
score     SARE_USERAG_3            3.333
#stype    SARE_USERAG_3            spamgg
#hist     SARE_USERAG_3            Created by Bob Menschel Apr 28 2004
#counts   SARE_USERAG_3            28s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_USERAG_3            40s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
#counts   SARE_USERAG_3            8s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_USERAG_3            9s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_USERAG_3            2s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#max      SARE_USERAG_3            4s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
#counts   SARE_USERAG_3            0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_USERAG_3            4s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_USERAG_3            0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_USERAG_BAT          User-Agent =~ /^The Bat!/
describe  SARE_USERAG_BAT          Spamware pretending to be 'The Bat!'
score     SARE_USERAG_BAT          2.222
#stype    SARE_USERAG_BAT          spamg
#hist     SARE_USERAG_BAT          Tim Jackson, May 12 2005
#counts   SARE_USERAG_BAT          94s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_USERAG_BAT          12s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_USERAG_BAT          14s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_USERAG_BAT          1s/0h of 7500 corpus (1767s/5733h ft) 09/18/05
#counts   SARE_USERAG_BAT          15s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#max      SARE_USERAG_BAT          19s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
#counts   SARE_USERAG_BAT          15s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05

header    SARE_USERAG_SPAM0        User-Agent =~ /(?:Foxmail|VXmailer|Mail Bomber|Rodriquezmail|LMAIL|MOMENTUM)/
describe  SARE_USERAG_SPAM0        Was sent by a SPAM User Agent
score     SARE_USERAG_SPAM0        1.666
#hist     SARE_USERAG_SPAM0        SARE_TM2_RW_UA
#counts   SARE_USERAG_SPAM0        159s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_USERAG_SPAM0        175s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
#counts   SARE_USERAG_SPAM0        18s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_USERAG_SPAM0        29s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
#counts   SARE_USERAG_SPAM0        5s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#max      SARE_USERAG_SPAM0        19s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
#counts   SARE_USERAG_SPAM0        15s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#counts   SARE_USERAG_SPAM0        3s/0h of 7500 corpus (1767s/5733h ft) 09/18/05

#####################################################################################
#         SARE X-Mailer Rules
########  ######################   ##################################################

header    SARE_XMAIL_DIRUNIV       X-Mailer =~ /Direct Universe/i
describe  SARE_XMAIL_DIRUNIV       Apparently uses spam/bulk mailer
score     SARE_XMAIL_DIRUNIV       1.111
#stype    SARE_XMAIL_DIRUNIV       spamp
#hist     SARE_XMAIL_DIRUNIV       Bob Menschel, May 14 2005
#counts   SARE_XMAIL_DIRUNIV       36s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_XMAIL_DIRUNIV       48s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
#counts   SARE_XMAIL_DIRUNIV       0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_XMAIL_DIRUNIV       0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
#counts   SARE_XMAIL_DIRUNIV       0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_XMAIL_DIRUNIV       0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05

header    SARE_XMAIL_DYNAMAILER    X-Mailer =~ /Dynamailer/
describe  SARE_XMAIL_DYNAMAILER    Bulk email fingerprint (DynaMailer) found
score     SARE_XMAIL_DYNAMAILER    1.111
#stype    SARE_XMAIL_DYNAMAILER    spamp
#hist     SARE_XMAIL_DYNAMAILER    Suggested via SA Dev mailing list bug 4127, Feb 9 2005
#counts   SARE_XMAIL_DYNAMAILER    14s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_XMAIL_DYNAMAILER    0s/0h of 54103 corpus (16925s/37178h JH-3.01) 02/15/05
#counts   SARE_XMAIL_DYNAMAILER    0s/0h of 26190 corpus (22790s/3400h MY) 02/15/05
#counts   SARE_XMAIL_DYNAMAILER    1s/0h of 682 corpus (290s/392h CRF) 02/16/05
#counts   SARE_XMAIL_DYNAMAILER    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_XMAIL_DYNAMAILER    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_XMAIL_FNORD         X-Mailer =~ m'KYX CP/M FNORD 5602'
describe  SARE_XMAIL_FNORD         Recognized spam sign in xmail header
score     SARE_XMAIL_FNORD         1.666
#hist     SARE_XMAIL_FNORD         Loren Wilton, Jul 23 2005
#counts   SARE_XMAIL_FNORD         527s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_XMAIL_FNORD         34s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#counts   SARE_XMAIL_FNORD         0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05

header    SARE_XMAIL_INTERMED      X-Mailer =~ /\bIntermedia mail\b/i
describe  SARE_XMAIL_INTERMED      possible spamware
score     SARE_XMAIL_INTERMED      0.850  
#hist     SARE_XMAIL_INTERMED      Alex Broens, June 30 2005
#counts   SARE_XMAIL_INTERMED      51s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_XMAIL_INTERMED      1s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
#counts   SARE_XMAIL_INTERMED      1s/0h of 6905 corpus (1401s/5504h ft) 07/24/05

header    SARE_XMAIL_LEO           X-Mailer =~ /^[A-Z][a-x]+\s[a-z]{2}\s\d\.\d\d\s*$/      # no /i
score     SARE_XMAIL_LEO           2.333
describe  SARE_XMAIL_LEO           Spamsign in x-mailer header
#hist     SARE_XMAIL_LEO           Loren Wilton, Sept 07, 2005
#counts   SARE_XMAIL_LEO           2625s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_XMAIL_LEO           0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
#counts   SARE_XMAIL_LEO           0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05

header    SARE_XMAIL_PHPBulkEmai   X-Mailer =~ /PHPBulkEmailer/i
describe  SARE_XMAIL_PHPBulkEmai   Apparently uses spam/bulk mailer
score     SARE_XMAIL_PHPBulkEmai   1.111
#stype    SARE_XMAIL_PHPBulkEmai   spamp
#hist     SARE_XMAIL_PHPBulkEmai   Bob Menschel, Apr 11, 2005, from suggestion by Loren Wilton
#counts   SARE_XMAIL_PHPBulkEmai   14s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_XMAIL_PHPBulkEmai   45s/0h of 275081 corpus (134226s/140855h RM) 05/30/05
#counts   SARE_XMAIL_PHPBulkEmai   1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_XMAIL_PHPBulkEmai   0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
#counts   SARE_XMAIL_PHPBulkEmai   0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_XMAIL_PHPBulkEmai   1s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05

header    SARE_XMAIL_RANDMAILER    X-Mailer =~ /^([a-z]{4,12} ){1,3}$/
describe  SARE_XMAIL_RANDMAILER    only 1-3 lowercase words in X-mailer field
score     SARE_XMAIL_RANDMAILER    2.222  
#hist     SARE_XMAIL_RANDMAILER    from Pierre Thomson
#counts   SARE_XMAIL_RANDMAILER    413s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_XMAIL_RANDMAILER    103s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_XMAIL_RANDMAILER    112s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_XMAIL_RANDMAILER    0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_XMAIL_RANDMAILER    0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_XMAIL_RANDMAILER    20s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_XMAIL_RANDMAILER    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_XMAIL_TTBOARD       X-Mailer =~ /TTBOARD/i 
describe  SARE_XMAIL_TTBOARD       X-Mailer used by spammer
score     SARE_XMAIL_TTBOARD       1.666
#stype    SARE_XMAIL_TTBOARD       spamp
#hist     SARE_XMAIL_TTBOARD       Created by Bob Menschel Jan 14 2005, based on info from Joel Rubin via Spam-L
#counts   SARE_XMAIL_TTBOARD       15s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_XMAIL_TTBOARD       230s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
#counts   SARE_XMAIL_TTBOARD       0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_XMAIL_TTBOARD       0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_XMAIL_TTBOARD       0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_XMAIL_TTBOARD       0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

#####################################################################################
#         SARE Miscellaneous and X-Header header rules 
########  ######################   ##################################################

header    SARE_HEAD_DATE46         Date =~ /^.{46}$/
describe  SARE_HEAD_DATE46         Date header suggests this is spam
score     SARE_HEAD_DATE46         1.666
#counts   SARE_HEAD_DATE46         409s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HEAD_DATE46         0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
#counts   SARE_HEAD_DATE46         0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
#counts   SARE_HEAD_DATE46         0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_DATE46         0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_LOC_INV1       Location =~ /^[a-z]+(?:\s[a-z]+)*$/ # no /i
describe  SARE_HEAD_LOC_INV1       Improper location
score     SARE_HEAD_LOC_INV1       1.666
#hist     SARE_HEAD_LOC_INV1       Loren Wilton, Feb 21 2005
#counts   SARE_HEAD_LOC_INV1       130s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HEAD_LOC_INV1       24s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
#counts   SARE_HEAD_LOC_INV1       0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
#counts   SARE_HEAD_LOC_INV1       4s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_HEAD_LOC_INV1       127s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_HEAD_LOC_INV1       0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    __MIME_VERSION           exists:MIME-Version
header    __SARE_HEAD_MIME_VALID   Mime-Version =~ m'^\s*1.0\b'
meta      SARE_HEAD_MIME_INVALID   !__SARE_HEAD_MIME_VALID && __MIME_VERSION
describe  SARE_HEAD_MIME_INVALID   Invalid mime version
score     SARE_HEAD_MIME_INVALID   1.666
#stype    SARE_HEAD_MIME_INVALID   spamp
#hist     SARE_HEAD_MIME_INVALID   Bob Menschel, June 15 2006, inspired by Alex Broens
#counts   SARE_HEAD_MIME_INVALID   150s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HEAD_MIME_INVALID   1s/0h of 10590 corpus (5819s/4771h CT) 07/26/05

header    __SARE_HEAD_MIME_PROD    MIME-Version =~ /\(produced by [a-z]+ \d\.\d\)/
header    __SARE_HEAD_MIME_PROD2   Mime-Version =~ /^1\.0 \(produced by [a-z]{1,20} [0-9]\.[0-9]\)$/
header    __SARE_HEAD_MIME_PROD3   MIME-Version =~ /1.0 \(produced by [a-z]+ \d+\.\d+\)\s*$/
meta      SARE_HEAD_MIME_PROD      __SARE_HEAD_MIME_PROD || __SARE_HEAD_MIME_PROD2 || __SARE_HEAD_MIME_PROD3
describe  SARE_HEAD_MIME_PROD      Ratware MIME Version
score     SARE_HEAD_MIME_PROD      2.666
#hist     SARE_HEAD_MIME_PROD      Originally: SARE_TM2_RW_MV
#hist     SARE_HEAD_MIME_PROD      Feb 26 2005: Added patterns offered by Eric Fagan and Loren Wilton
#counts   SARE_HEAD_MIME_PROD      284s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_HEAD_MIME_PROD      862s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
#counts   SARE_HEAD_MIME_PROD      309s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_HEAD_MIME_PROD      364s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
#counts   SARE_HEAD_MIME_PROD      0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_HEAD_MIME_PROD      62s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_HEAD_MIME_PROD      460s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_HEAD_MIME_PROD      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_THRD_ALNUM     Thread-Index =~ /ALNUM/
describe  SARE_HEAD_THRD_ALNUM     Spam fingerprint in thread index
score     SARE_HEAD_THRD_ALNUM     0.839
#hist     SARE_HEAD_THRD_ALNUM     Alex Broens, July 27 2005
#counts   SARE_HEAD_THRD_ALNUM     51s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#counts   SARE_HEAD_THRD_ALNUM     0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05

header    SARE_HEAD_XMF_AUTHSNDR   X-Message-flag =~ /Authentic Sender/i
describe  SARE_HEAD_XMF_AUTHSNDR   Headers contains spam sign
score     SARE_HEAD_XMF_AUTHSNDR   1.666
#stype    SARE_HEAD_XMF_AUTHSNDR   spamp
#hist     SARE_HEAD_XMF_AUTHSNDR   Created by Bob Menschel Jan 29 2005 from idea submitted by Alex Broens 
#counts   SARE_HEAD_XMF_AUTHSNDR   109s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_HEAD_XMF_AUTHSNDR   726s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
#counts   SARE_HEAD_XMF_AUTHSNDR   67s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_HEAD_XMF_AUTHSNDR   27s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#max      SARE_HEAD_XMF_AUTHSNDR   54s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_HEAD_XMF_AUTHSNDR   26s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_HEAD_XMF_AUTHSNDR   89s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_HEAD_XMF_AUTHSNDR   0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_XM4            ALL =~ /\nX-M-.{4}:/          # usually 4:28:12
describe  SARE_HEAD_XM4            Contains spamsign header 
score     SARE_HEAD_XM4            1.111
#stype    SARE_HEAD_XM4            spamp
#hist     SARE_HEAD_XM4            Loren Wilton, June 2005
#counts   SARE_HEAD_XM4            80s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HEAD_XM4            0s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#counts   SARE_HEAD_XM4            0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05

header    SARE_HEAD_XMIMEO_MS      X-MimeOLE =~ /Mircosoft MimeOLE/i
describe  SARE_HEAD_XMIMEO_MS      Ratware-misspelled header
score     SARE_HEAD_XMIMEO_MS      1.666
#stype    SARE_HEAD_XMIMEO_MS      spamg
#hist     SARE_HEAD_XMIMEO_MS      Idea from dfs@roaringpenguin.com, http://bugzilla.spamassassin.org/show_bug.cgi?id=3349
#counts   SARE_HEAD_XMIMEO_MS      27s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_HEAD_XMIMEO_MS      36s/0h of 273595 corpus (108821s/164774h RM) 05/13/05
#counts   SARE_HEAD_XMIMEO_MS      0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
#counts   SARE_HEAD_XMIMEO_MS      0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_HEAD_XMIMEO_MS      0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_XMIMEO_MS      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

#####################################################################################
#         SARE Rules which identify headers found in email bodies
########  ######################   ##################################################

rawbody   SARE_HEAD_BDY_BOUNCES    /^Bounces_to: .{1,50}\@/
describe  SARE_HEAD_BDY_BOUNCES    Message header suggesting spam in body
score     SARE_HEAD_BDY_BOUNCES    1.666
#note     SARE_HEAD_BDY_BOUNCES    Normally valid header currently very popular in spam. Presence in bounced emails strongly suggests bounced spam
#hist     SARE_HEAD_BDY_BOUNCES    Bob Menschel, Apr 10 2005
#counts   SARE_HEAD_BDY_BOUNCES    1s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_HEAD_BDY_BOUNCES    433s/0h of 271461 corpus (129860s/141601h RM) 06/12/05
#counts   SARE_HEAD_BDY_BOUNCES    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_BDY_BOUNCES    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
#counts   SARE_HEAD_BDY_BOUNCES    0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05

#####################################################################################
#         SARE Rules which examine multiple header types
########  ######################   ##################################################

header    __THEBAT_MUA             X-Mailer =~ /The Bat!/
header    __SARE_HEAD_WEBMAIL      Message-ID =~ /<.+\@(yahoo|hotmail|cfswebmail)\.com>$/i
header    __SARE_HEAD_MAIL_BAT2    User-Agent =~ /^The Bat!/
meta      SARE_HEAD_BAT_WEB        __SARE_HEAD_WEBMAIL && ( __THEBAT_MUA || __SARE_HEAD_MAIL_BAT2 ) 
describe  SARE_HEAD_BAT_WEB        Webmail message ID, but The Bat! X-Mailer
score     SARE_HEAD_BAT_WEB        3.333
#stype    SARE_HEAD_BAT_WEB        spamg
#hist     SARE_HEAD_BAT_WEB        Tim Jackson, May 11 2005
#counts   SARE_HEAD_BAT_WEB        1029s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HEAD_BAT_WEB        1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_BAT_WEB        0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
#counts   SARE_HEAD_BAT_WEB        32s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05

header    __SARE_MULT_BMASTGR1     Received    =~ /for bmastgr\@/
header    __SARE_MULT_BMASTGR2     ToCc        =~ /\bbmastgr\@/
header    __SARE_MULT_BMASTGR3     From        =~ /\bbmastgr\@/
header    __SARE_MULT_BMASTGR4     Envelope-to =~ /\bbmastgr\@/
header    __SARE_MULT_BMASTGR5     Subject     =~ /\bbmastgr\b/
meta      SARE_MULT_BMASTGR        ( __SARE_MULT_BMASTGR1 || __SARE_MULT_BMASTGR2 || __SARE_MULT_BMASTGR3 || __SARE_MULT_BMASTGR4 || __SARE_MULT_BMASTGR5 )
describe  SARE_MULT_BMASTGR        Directed to/from invalid address 
score     SARE_MULT_BMASTGR        5.000
#stype    SARE_MULT_BMASTGR        spamggg
#hist     SARE_MULT_MBASTGR        Missing meta dependencies fixed by Fred T, Oct 6 2005
#counts   SARE_MULT_BMASTGR        497s/0h of 487606 corpus (219627s/267979h RM) 10/07/05
#max      SARE_MULT_BMASTGR        1336s/0h of 115925 corpus (94616s/21309h RM) 05/01/04
#counts   SARE_MULT_BMASTGR        0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
#counts   SARE_MULT_BMASTGR        0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_MULT_BMASTGR        0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_MULT_BMASTGR        0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_MULT_BMASTGR        0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_MULT_FROM           ALL =~ /\nFrom:.{10,150}\nFrom:.{10,150}\nFrom:/s
score     SARE_MULT_FROM           0.777
describe  SARE_MULT_FROM           Many from lines
#hist     SARE_MULT_FROM           Loren Wilton, June 2005
#counts   SARE_MULT_FROM           0s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_MULT_FROM           40s/0h of 271461 corpus (129860s/141601h RM) 06/12/05
#counts   SARE_MULT_FROM           0s/0h of 5653 corpus (1019s/4634h ft) 06/04/05
#counts   SARE_MULT_FROM           0s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
#counts   SARE_MULT_FROM           0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_MULT_FROM           0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05

header    __SARE_MULT_FROM_MRS     From =~ /"Mrs[\. ][A-Z][a-z]+"/
header    __SARE_MULT_HITHERE      Subject =~ /^(?:HELLO|Hello|Hey|Hi)\w{0,8},?(?:Mrs\.)?/
body      __SARE_MULT_PROFILE      /(?:on-?line profile|profile (?:is )?on-?line)/
meta      SARE_MULT_SEXCLUB        __SARE_MULT_HITHERE && (__SARE_MULT_PROFILE || __SARE_MULT_FROM_MRS)
describe  SARE_MULT_SEXCLUB        Adult invitation spam
score     SARE_MULT_SEXCLUB        1.666
#hist     SARE_MULT_SEXCLUB        Loren Wilton, Feb 22 2005
#counts   SARE_MULT_SEXCLUB        2s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_MULT_SEXCLUB        114s/0h of 283497 corpus (129933s/153564h RM) 03/08/05
#counts   SARE_MULT_SEXCLUB        8s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
#counts   SARE_MULT_SEXCLUB        54s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#max      SARE_MULT_SEXCLUB        59s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_MULT_SEXCLUB        11s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_MULT_SEXCLUB        22s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_MULT_SEXCLUB        0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_MULT_SUBJ           ALL =~ /\nSubject:.{10,150}\nSubject:.{10,150}\nSubject:/s
score     SARE_MULT_SUBJ           0.777
describe  SARE_MULT_SUBJ           Many subject lines
#hist     SARE_MULT_SUBJ           Loren Wilton, June 2005
#counts   SARE_MULT_SUBJ           0s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_MULT_SUBJ           40s/0h of 271461 corpus (129860s/141601h RM) 06/12/05
#counts   SARE_MULT_SUBJ           0s/0h of 5653 corpus (1019s/4634h ft) 06/04/05
#counts   SARE_MULT_SUBJ           0s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
#counts   SARE_MULT_SUBJ           0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_MULT_SUBJ           0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05

# EOF

# SARE Header Abuse Ruleset for SpamAssassin -- file 1
# Version:  01.03.16
# Created:  2004-04-25
# Modified: 2005-10-28
# Usage instructions and documentation in 70_sare_header0.cf 

# Full Revision History / Change Log in 70_sare_header.log
#@@# 01.03.16  Oct 28 2005
#@@#           Minor score updates based on additional mass-check
#@@#           Added to file 1:          SARE_HEAD_HDR_XLEGAL1, 2, 3, 4
#@@#           Added to file 1:          SARE_HEAD_HDR_XSIDPRA
#@@#           Added to file 1:          SARE_HEAD_HDR_XSIDRES
#@@#           Added to file 1:          SARE_RECV_IP_064034
#@@#           Added to file 1:          SARE_RECV_IP_209051
#@@#           Added to file 1:          SARE_RECV_IP_209190
#@@#           Added to file 1:          SARE_RECV_IP_216118120
#@@#           Modified:                 SARE_FROM_SPAM_DOMN0: split yahoo.net to separate rule
#@@#           Moved file 0 to file 1:   SARE_BOUNDARY_LC
#@@#           Moved file 0 to file 1:   SARE_FREE_WEBM_FrVoila
#@@#           Moved file 0 to file 1:   SARE_FREE_WEBM_Mailexc
#@@#           Moved file 0 to file 1:   SARE_HEAD_HDR_XBBOUNC
#@@#           Moved file 0 to file 1:   SARE_HEAD_XWORD
#@@#           Moved file 0 to file 1:   SARE_RECV_IP_066165224
#@@#           Moved file 0 to file 1:   SARE_RECV_IP_218088
#@@#           Moved file 0 to file 1:   SARE_XMAIL_TOLMAIL
#@@#           Moved file 1 to file 0:   SARE_HEAD_XMIMEO_MS
#@@#           Moved file 1 to file 0:   SARE_RECV_IP_069060122
#@@#           Moved file 1 to file 0:   SARE_XMAIL_DYNAMAILER
#@@#           Moved file 1 to file 2:   SARE_FREE_WEBM_USACOPS
#@@#           Moved file 1 to file 2:   SARE_HEAD_HDR_XEMGBMS
#@@#           Moved file 1 to file 2:   SARE_HEAD_XCANIT1
#@@#           Moved file 1 to file 2:   SARE_HEAD_XCANIT2
#@@#           Moved file 1 to file 2:   SARE_MSGID_SPAM_DOMN0
#@@#           Moved file 1 to file 2:   SARE_MSGID_SUSP2
#@@#           Moved file 1 to file 2:   SARE_RECV_IP_081019
#@@#           Moved file 1 to file 2:   SARE_RECV_IP_211049
#@@#           Moved file 1 to file 2:   SARE_RECV_RND_NUMBER
#@@#           Moved file 1 to file 3:   SARE_FROM_NONAME
#@@#           Moved file 1 to file 3:   SARE_FROM_SPAM_CHAR0
#@@#           Moved file 1 to file 3:   SARE_HEAD_XCOM_RFCMIN
#@@#           Moved file 1 to file 3:   SARE_RECV_IP_080178
#@@#           Moved file 1 to file 3:   SARE_XMAIL_SUSP3
#@@#           Moved file 2 to file 1:   SARE_FROM_AST
#@@#           Moved file 2 to file 1:   SARE_HEAD_HDR_XCNDINF
#@@#           Moved file 3 to file 1:   SARE_FROM_SPAM_MONEY2
#@@#           Moved from file 1 to x31: SARE_MSGID_DBL_AT
#@@#           Replaced                  __SARE_HEAD_HDR_RCVD with SA 3.1.0 rule __HAS_RCVD
#@@#           Split mail2world.com from SARE_FREE_WEBM_ZCom03

# License: Artistic - see http://www.rulesemporium.com/license.txt 
# Current Maintainer: Bob Menschel - RMSA@Menschel.net
# Current Home: http://www.rulesemporium.com/rules/70_sare_header1.cf 

########  ######################   ##################################################
#    Component rules used within meta rules 
########  ######################   ##################################################

header    __SARE_HEAD_8BIT_SUBJ    Subject =~ /[\x80-\xff]{3,}/

########  ######################   ##################################################
#    Meta rules used to prevent --lint errors after moving/changing rules
########  ######################   ##################################################

meta      SARE_FREE_WEBM_CZSEZNA   0
meta      SARE_FROM_MULTI_DASH     0
meta      SARE_HEAD_DATE18         0
meta      SARE_MSGID_LONG40        0
meta      SARE_MSGID_LONG55        0
meta      SARE_MULT_VIA_FWCATS     0
meta      SARE_RECV_IP_064080      0
meta      SARE_RECV_ISWEST         0
meta      SARE_FROM_AMERICA        0
meta      SARE_HEAD_SUBJ_RAND      0
meta      SARE_HEAD_XORIP_IP       0
meta      SARE_MSGID_06D6          0
meta      SARE_RECV_IP_142046      0
meta      SARE_RECV_IP_212164      0
meta      SARE_BOUNDARY_MULTB      0
meta      SARE_FROM_NUM_9DIG       0
meta      SARE_FROM_PRINTER        0
meta      SARE_HEAD_8BIT_NOSPM     0
meta      SARE_HEAD_8BIT_SPAM      0
meta      SARE_HEAD_HDR_XCCDIAG    0
meta      SARE_HEAD_HDR_XMAILTH    0
meta      SARE_HEAD_HDR_XSMTPSV    0
meta      SARE_HEAD_HDR_XUMAIL     0
meta      SARE_HELO_SERVER         0
meta      SARE_MSGID_LONG35        0
meta      SARE_MSGID_LONG65        0
meta      SARE_MSGID_LONG75        0
meta      SARE_RECV_IP_066111      0
meta      SARE_RECV_SUSP_3         0
meta      SARE_XMAIL_XMAIL         0
meta      SARE_HEAD_HDR_XEMGBMS    0
meta      SARE_HEAD_XCANIT1        0
meta      SARE_HEAD_XCANIT2        0
meta      SARE_MSGID_SPAM_DOMN0    0
meta      SARE_MSGID_SUSP2         0
meta      SARE_RECV_IP_081019      0
meta      SARE_RECV_IP_211049      0
meta      SARE_RECV_RND_NUMBER     0
meta      SARE_FROM_NONAME         0
meta      SARE_FROM_SPAM_CHAR0     0
meta      SARE_HEAD_XCOM_RFCMIN    0
meta      SARE_RECV_IP_080178      0
meta      SARE_XMAIL_SUSP3         0
meta      SARE_MSGID_DBL_AT        0
meta      SARE_FREE_WEBM_USACOPS   0

#####################################################################################
#         SARE Header-Exists rules
########  ######################   ##################################################

header    SARE_HEAD_HDR_ALTREC     exists:Alternate-Recipient
describe  SARE_HEAD_HDR_ALTREC     Message headers used which identify spam
score     SARE_HEAD_HDR_ALTREC     0.148
#ham      SARE_HEAD_HDR_ALTREC     "Alternate-recipient: prohibited", From: JOEL RHEINBERGER <xxx@abc.net.au>, UA-content-id: A266IPY323WU, A1-type: MAIL, Hop-count: 1, Received: from VAXB.abc.net.au, no indication which email client was used
#counts   SARE_HEAD_HDR_ALTREC     98s/5h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_HEAD_HDR_ALTREC     324s/4h of 115509 corpus (81073s/34436h RM) 01/16/05
#counts   SARE_HEAD_HDR_ALTREC     0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_ALTREC     43s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_HEAD_HDR_ALTREC     44s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_ALTREC     19s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#max      SARE_HEAD_HDR_ALTREC     21s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_HEAD_HDR_ALTREC     0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_APPROV     exists:Approved
describe  SARE_HEAD_HDR_APPROV     Message headers used which identify spam
score     SARE_HEAD_HDR_APPROV     0.817
#hist     SARE_HEAD_HDR_APPROV     Moved file 0 to 1, version 01.03.09, 2 ham confirmed
#counts   SARE_HEAD_HDR_APPROV     21s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
#max      SARE_HEAD_HDR_APPROV     163s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
#counts   SARE_HEAD_HDR_APPROV     0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_APPROV     19s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_HEAD_HDR_APPROV     21s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_APPROV     7s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_HEAD_HDR_APPROV     19s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_APPROV     0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

#todo     SARE_HEAD_HDR_AUTSUBD    Test both rules independently %%%
header    SARE_HEAD_HDR_AUTSUBD    exists:Auto-submitted
header    SARE_HEAD_HDR_AUTSUBD    exists:X-RMD-Text
describe  SARE_HEAD_HDR_AUTSUBD    Message headers used which identify spam
score     SARE_HEAD_HDR_AUTSUBD    1.111
#stype    SARE_HEAD_HDR_AUTSUBD    spamp
#counts   SARE_HEAD_HDR_AUTSUBD    33s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HEAD_HDR_AUTSUBD    0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#max      SARE_HEAD_HDR_AUTSUBD    1s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_AUTSUBD    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_AUTSUBD    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_AUTSUBD    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_DISCREC    exists:Disclose-Recipients
describe  SARE_HEAD_HDR_DISCREC    Message headers used which identify spam
score     SARE_HEAD_HDR_DISCREC    0.739
#ham      SARE_HEAD_HDR_DISCREC    confirmed (4), Used by usdoj.gov
#counts   SARE_HEAD_HDR_DISCREC    28s/1h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_HEAD_HDR_DISCREC    210s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
#counts   SARE_HEAD_HDR_DISCREC    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_DISCREC    32s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_HEAD_HDR_DISCREC    33s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_DISCREC    5s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_HEAD_HDR_DISCREC    9s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_DISCREC    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_MSGTYPE    exists:Message-Type
describe  SARE_HEAD_HDR_MSGTYPE    Message headers used which identify spam
score     SARE_HEAD_HDR_MSGTYPE    0.555
#stype    SARE_HEAD_HDR_MSGTYPE    spamp
#counts   SARE_HEAD_HDR_MSGTYPE    1s/0h of 259338 corpus (110116s/149222h RM) 05/16/05
#max      SARE_HEAD_HDR_MSGTYPE    1s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
#counts   SARE_HEAD_HDR_MSGTYPE    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_MSGTYPE    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_MSGTYPE    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_MSGTYPE    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_X400RCV    exists:X400-Received
describe  SARE_HEAD_HDR_X400RCV    Message headers used which identify spam
score     SARE_HEAD_HDR_X400RCV    0.555
#stype    SARE_HEAD_HDR_X400RCV    spamp
#counts   SARE_HEAD_HDR_X400RCV    1s/0h of 259338 corpus (110116s/149222h RM) 05/16/05
#max      SARE_HEAD_HDR_X400RCV    1s/0h of 114261 corpus (81069s/33192h RM) 01/15/05
#counts   SARE_HEAD_HDR_X400RCV    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_X400RCV    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_X400RCV    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_X400RCV    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XBBOUNC    exists:X-BBounce
describe  SARE_HEAD_HDR_XBBOUNC    Message headers used which identify spam
score     SARE_HEAD_HDR_XBBOUNC    0.878
#ham      SARE_HEAD_HDR_XBBOUNC    likely (2) 
#counts   SARE_HEAD_HDR_XBBOUNC    174s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HEAD_HDR_XBBOUNC    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XBBOUNC    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XBBOUNC    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XBBOUNC    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XCNDINF    exists:X-CND-Info
describe  SARE_HEAD_HDR_XCNDINF    Message headers used which identify spam
score     SARE_HEAD_HDR_XCNDINF    0.555
#stype    SARE_HEAD_HDR_XCNDINF    spamp
#counts   SARE_HEAD_HDR_XCNDINF    6s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HEAD_HDR_XCNDINF    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XCNDINF    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XCNDINF    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XCNDINF    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XENC       exists:X-ENC
describe  SARE_HEAD_HDR_XENC       Message headers used which identify spam
score     SARE_HEAD_HDR_XENC       1.111
#stype    SARE_HEAD_HDR_XENC       spamp
#hist     SARE_HEAD_HDR_XENC       Created by Bob Menschel Sep 03 2004
#counts   SARE_HEAD_HDR_XENC       0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05
#max      SARE_HEAD_HDR_XENC       19s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
#counts   SARE_HEAD_HDR_XENC       1s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_HEAD_HDR_XENC       0s/0h of 44754 corpus (16523s/28231h JH-SA3.0rc1) 09/06/04
#counts   SARE_HEAD_HDR_XENC       0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XENC       0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    __HAS_RCVD               exists:Received
header    __SARE_HEAD_HDR_IDKEY    exists:X-Identity-Key
meta      SARE_HEAD_HDR_XIDKEY     __SARE_HEAD_HDR_IDKEY  && __HAS_RCVD
header    SARE_HEAD_HDR_XIDKEY     exists:X-Identity-Key
describe  SARE_HEAD_HDR_XIDKEY     Apparent spam sign in headers
score     SARE_HEAD_HDR_XIDKEY     1.666
#ham      SARE_HEAD_HDR_XIDKEY     verified (4)
#hist     SARE_HEAD_HDR_XIDKEY     Created by Chris Santerre Aug 31 2004
#counts   SARE_HEAD_HDR_XIDKEY     3611s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HEAD_HDR_XIDKEY     68s/2h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_HEAD_HDR_XIDKEY     0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_HEAD_HDR_XIDKEY     67s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#counts   SARE_HEAD_HDR_XIDKEY     3s/1h of 7500 corpus (1767s/5733h ft) 09/18/05

header    __SARE_HEAD_HDR_XLEGAL   exists:X-Legal
header    __SARE_HEAD_HDR_XLEGAC   X-Legal =~ m'copyright|\(c\)'i
header    __SARE_HEAD_HDR_XLEGAI   X-Legal =~ m'in compliance'i
header    __SARE_HEAD_HDR_XLEGAB   X-Legal =~ m'BE ADVISED'i
meta      SARE_HEAD_HDR_XLEGAL1    __SARE_HEAD_HDR_XLEGAB && __SARE_HEAD_HDR_XLEGAI && !__SARE_HEAD_HDR_XLEGAC
describe  SARE_HEAD_HDR_XLEGAL1    Message headers used which identify spam
score     SARE_HEAD_HDR_XLEGAL1    1.666
#stype    SARE_HEAD_HDR_XLEGAL1    spamgg
#hist     SARE_HEAD_HDR_XLEGAL1    Bob Menschel, Aug 07 2005
#counts   SARE_HEAD_HDR_XLEGAL1    7s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HEAD_HDR_XLEGAL1    0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
#counts   SARE_HEAD_HDR_XLEGAL1    0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05

meta      SARE_HEAD_HDR_XLEGAL2    ( __SARE_HEAD_HDR_XLEGAB || __SARE_HEAD_HDR_XLEGAI ) && !__SARE_HEAD_HDR_XLEGAC && !SARE_HEAD_HDR_XLEGAL1
describe  SARE_HEAD_HDR_XLEGAL2    Message headers used which identify spam
score     SARE_HEAD_HDR_XLEGAL2    1.666
#stype    SARE_HEAD_HDR_XLEGAL2    spamgg
#hist     SARE_HEAD_HDR_XLEGAL2    Bob Menschel, Aug 07 2005
#counts   SARE_HEAD_HDR_XLEGAL2    0s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HEAD_HDR_XLEGAL2    0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
#counts   SARE_HEAD_HDR_XLEGAL2    0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05

meta      SARE_HEAD_HDR_XLEGAL3    __SARE_HEAD_HDR_XLEGAL && !SARE_HEAD_HDR_XLEGAL1 && !SARE_HEAD_HDR_XLEGAL1 && !__SARE_HEAD_HDR_XLEGAC
describe  SARE_HEAD_HDR_XLEGAL3    Message headers used which identify spam
score     SARE_HEAD_HDR_XLEGAL3    1.666
#stype    SARE_HEAD_HDR_XLEGAL3    spamgg
#hist     SARE_HEAD_HDR_XLEGAL3    Bob Menschel, Aug 07 2005
#counts   SARE_HEAD_HDR_XLEGAL3    0s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HEAD_HDR_XLEGAL3    0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
#counts   SARE_HEAD_HDR_XLEGAL3    0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05

meta      SARE_HEAD_HDR_XLEGAL4    __SARE_HEAD_HDR_XLEGAL && !SARE_HEAD_HDR_XLEGAL1 && !SARE_HEAD_HDR_XLEGAL1 && !SARE_HEAD_HDR_XLEGAL3
describe  SARE_HEAD_HDR_XLEGAL4    Message headers used which might identify spam
score     SARE_HEAD_HDR_XLEGAL4    0.100
#hist     SARE_HEAD_HDR_XLEGAL4    Bob Menschel, Aug 07 2005
#counts   SARE_HEAD_HDR_XLEGAL4    3s/4h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HEAD_HDR_XLEGAL4    0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
#counts   SARE_HEAD_HDR_XLEGAL4    0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05

header    SARE_HEAD_HDR_XLISTAD    exists:X-LISTADDRESS
describe  SARE_HEAD_HDR_XLISTAD    Message headers used which identify spam
score     SARE_HEAD_HDR_XLISTAD    1.111
#stype    SARE_HEAD_HDR_XLISTAD    spamp
#counts   SARE_HEAD_HDR_XLISTAD    46s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HEAD_HDR_XLISTAD    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XLISTAD    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XLISTAD    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XLISTAD    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XMAILID    exists:X-Mailid
describe  SARE_HEAD_HDR_XMAILID    Message headers used which identify spam
score     SARE_HEAD_HDR_XMAILID    0.966
#counts   SARE_HEAD_HDR_XMAILID    222s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HEAD_HDR_XMAILID    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XMAILID    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XMAILID    0s/2h of 10590 corpus (5819s/4771h CT) 07/26/05
#was      SARE_HEAD_HDR_XMAILID    0s/3h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XMAILID    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XMEBDOM    exists:X-ME-bounce-domain
describe  SARE_HEAD_HDR_XMEBDOM    Message headers used which identify spam
score     SARE_HEAD_HDR_XMEBDOM    0.555
#stype    SARE_HEAD_HDR_XMEBDOM    spamp
#counts   SARE_HEAD_HDR_XMEBDOM    2s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
#max      SARE_HEAD_HDR_XMEBDOM    8s/0h of 273595 corpus (108821s/164774h RM) 05/13/05
#counts   SARE_HEAD_HDR_XMEBDOM    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XMEBDOM    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XMEBDOM    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XMEBDOM    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XMLRSRV    exists:X-Mailer-Server
describe  SARE_HEAD_HDR_XMLRSRV    Message headers used which identify spam
score     SARE_HEAD_HDR_XMLRSRV    0.372 
#ham      SARE_HEAD_HDR_XMLRSRV    verified (1)
#counts   SARE_HEAD_HDR_XMLRSRV    67s/10h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HEAD_HDR_XMLRSRV    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XMLRSRV    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XMLRSRV    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XMLRSRV    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XRESPID    exists:X-Response-ID
describe  SARE_HEAD_HDR_XRESPID    Message headers used which identify spam
score     SARE_HEAD_HDR_XRESPID    1.111
#stype    SARE_HEAD_HDR_XRESPID    spamp
#counts   SARE_HEAD_HDR_XRESPID    35s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HEAD_HDR_XRESPID    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XRESPID    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XRESPID    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XRESPID    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XRIPE      exists:X-RIPE
describe  SARE_HEAD_HDR_XRIPE      Message headers used which identify spam
score     SARE_HEAD_HDR_XRIPE      1.111
#stype    SARE_HEAD_HDR_XRIPE      spamp
#counts   SARE_HEAD_HDR_XRIPE      4s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
#max      SARE_HEAD_HDR_XRIPE      16s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
#counts   SARE_HEAD_HDR_XRIPE      0s/0h of 10995 corpus (6568s/4427h CT) 03/10/05
#counts   SARE_HEAD_HDR_XRIPE      0s/0h of 54806 corpus (17633s/37173h JH-3.01) 03/14/05
#counts   SARE_HEAD_HDR_XRIPE      0s/0h of 31513 corpus (27912s/3601h MY) 03/09/05
#counts   SARE_HEAD_HDR_XRIPE      0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XRIPE      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XSAFMMI    exists:X-SafeMailer-MsgId
describe  SARE_HEAD_HDR_XSAFMMI    Message headers used which identify spam
score     SARE_HEAD_HDR_XSAFMMI    0.555
#stype    SARE_HEAD_HDR_XSAFMMI    spamp
#counts   SARE_HEAD_HDR_XSAFMMI    1s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
#max      SARE_HEAD_HDR_XSAFMMI    1s/0h of 114238 corpus (81067s/33171h RM) 01/15/05
#counts   SARE_HEAD_HDR_XSAFMMI    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XSAFMMI    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XSAFMMI    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XSAFMMI    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XSIDPRA    exists:X-SID-PRA
describe  SARE_HEAD_HDR_XSIDPRA    fingerprint
score     SARE_HEAD_HDR_XSIDPRA    0.684
#hist     SARE_HEAD_HDR_XSIDPRA    Alex Broens, Aug 3 2005
#counts   SARE_HEAD_HDR_XSIDPRA    113s/4h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HEAD_HDR_XSIDPRA    3s/0h of 10629 corpus (5847s/4782h CT) 09/18/05

header    SARE_HEAD_HDR_XSIDRES    exists:X-SID-Result
describe  SARE_HEAD_HDR_XSIDRES    fingerprint
score     SARE_HEAD_HDR_XSIDRES    0.684
#hist     SARE_HEAD_HDR_XSIDRES    Alex Broens, Aug 3 2005
#counts   SARE_HEAD_HDR_XSIDRES    113s/4h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HEAD_HDR_XSIDRES    3s/0h of 10629 corpus (5847s/4782h CT) 09/18/05

header    SARE_HEAD_HDR_XTID       exists:X-TID
describe  SARE_HEAD_HDR_XTID       Message headers used which identify spam
score     SARE_HEAD_HDR_XTID       1.111
#stype    SARE_HEAD_HDR_XTID       spamp
#counts   SARE_HEAD_HDR_XTID       1s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
#max      SARE_HEAD_HDR_XTID       19s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
#counts   SARE_HEAD_HDR_XTID       1s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_HEAD_HDR_XTID       0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XTID       0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XTID       0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XWTID      exists:X-WTID
describe  SARE_HEAD_HDR_XWTID      Message headers used which identify spam
score     SARE_HEAD_HDR_XWTID      0.611
#counts   SARE_HEAD_HDR_XWTID      20s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
#max      SARE_HEAD_HDR_XWTID      29s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
#counts   SARE_HEAD_HDR_XWTID      0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XWTID      0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XWTID      0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XWTID      0s/1h of 6924 corpus (1403s/5521h ft) 07/27/05

header    SARE_HEAD_HDR_XWTVERS    exists:X-WTVersion
describe  SARE_HEAD_HDR_XWTVERS    Message headers used which identify spam
score     SARE_HEAD_HDR_XWTVERS    0.611
#stype    SARE_HEAD_HDR_XWTVERS    spamp
#counts   SARE_HEAD_HDR_XWTVERS    20s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
#max      SARE_HEAD_HDR_XWTVERS    29s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
#counts   SARE_HEAD_HDR_XWTVERS    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XWTVERS    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XWTVERS    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XWTVERS    0s/1h of 6924 corpus (1403s/5521h ft) 07/27/05

header    SARE_HEAD_ORIG_RECIP     exists:Original-Recipient
describe  SARE_HEAD_ORIG_RECIP     Message header used which suggests spam 
score     SARE_HEAD_ORIG_RECIP     0.669
#hist     SARE_HEAD_ORIG_RECIP     Bob Menschel, Feb 26 2005
#ham      SARE_HEAD_ORIG_RECIP     delivery delayed messages from Postmaster@justact.org
#counts   SARE_HEAD_ORIG_RECIP     351s/21h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_HEAD_ORIG_RECIP     388s/0h of 238550 corpus (112525s/126025h RM) 02/28/05
#counts   SARE_HEAD_ORIG_RECIP     64s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_HEAD_ORIG_RECIP     10s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#max      SARE_HEAD_ORIG_RECIP     17s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_HEAD_ORIG_RECIP     19s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_HEAD_ORIG_RECIP     64s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_ORIG_RECIP     6s/0h of 6924 corpus (1403s/5521h ft) 07/27/05

#####################################################################################
#         SARE Content-Type and Boundary rules
########  ######################   ##################################################

header    SARE_BOUNDARY_05         Content-Type =~ /boundary="-{8}[a-z]{20}"/
describe  SARE_BOUNDARY_05         Content type boundary used in spam 
score     SARE_BOUNDARY_05         1.666  
#stype    SARE_BOUNDARY_05         vbggg
#hist     SARE_BOUNDARY_05         Moved from file 0 to 1 May 2005
#counts   SARE_BOUNDARY_05         5s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
#max      SARE_BOUNDARY_05         451s/0h of 66979 corpus (41757s/25222h RM) 09/04/04
#counts   SARE_BOUNDARY_05         0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_BOUNDARY_05         5s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_BOUNDARY_05         6s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_BOUNDARY_05         0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#max      SARE_BOUNDARY_05         1s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_BOUNDARY_05         0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_BOUNDARY_06         Content-Type =~ /boundary="Boundary_\w{5}_\w{4}_\w{23}"/i
describe  SARE_BOUNDARY_06         Content type boundary used in spam 
score     SARE_BOUNDARY_06         1.666
#stype    SARE_BOUNDARY_06         vbggg
#hist     SARE_BOUNDARY_06         Created by Bob Menschel May 4 2004
#hist     SARE_BOUNDARY_06         Moved from file 0 to 1 May 2005
#counts   SARE_BOUNDARY_06         84s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_BOUNDARY_06         0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
#counts   SARE_BOUNDARY_06         0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_BOUNDARY_06         0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_BOUNDARY_06         0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_BOUNDARY_08         Content-Type =~ /boundary="[\.\_]*(?:[A-Z\d]+[\.\_]+){4,20}[A-Z\d]*\"/s
describe  SARE_BOUNDARY_08         Improbable MIME boundary format
score     SARE_BOUNDARY_08         1.666
#hist     SARE_BOUNDARY_08         LW_BOUNDARY1
#ham      SARE_BOUNDARY_08         ServiceMagic <customerservice@servicemagic.com>, 2001
#ham      SARE_BOUNDARY_08         verizon wireless picture phone transmission
#counts   SARE_BOUNDARY_08         5929s/6h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_BOUNDARY_08         15s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_BOUNDARY_08         228s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
#counts   SARE_BOUNDARY_08         0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#max      SARE_BOUNDARY_08         1s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_BOUNDARY_08         6s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_BOUNDARY_08         18s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_BOUNDARY_08         0s/2h of 7500 corpus (1767s/5733h ft) 09/18/05

header    SARE_BOUNDARY_D10        Content-Type =~ /boundary="\d{10}"/
describe  SARE_BOUNDARY_D10        Content type boundary used in spam or virus
score     SARE_BOUNDARY_D10        1.400
#ham      SARE_BOUNDARY_D10        verified (1) 
#hist     SARE_BOUNDARY_D10        Created by Bob Menschel May 31 2004
#counts   SARE_BOUNDARY_D10        134s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_BOUNDARY_D10        3s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_BOUNDARY_D10        0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_BOUNDARY_D10        5s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#counts   SARE_BOUNDARY_D10        0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_BOUNDARY_LC         Content-Type =~ /boundary="(?!ffff)[a-z]+"/
describe  SARE_BOUNDARY_LC         Content type boundary used in spam 
score     SARE_BOUNDARY_LC         1.666
#ham      SARE_BOUNDARY_LC         questionable newsletters
#hist     SARE_BOUNDARY_LC         Created by Bob Menschel May 31 2004
#ham      SARE_BOUNDARY_LC         "ffff": Game Rival <newsletter@gamerival.com>, ThePerfectGreeting <updates@perfectgreeting.com>
#counts   SARE_BOUNDARY_LC         899s/4h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_BOUNDARY_LC         83s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_BOUNDARY_LC         0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_BOUNDARY_LC         30s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_BOUNDARY_LC         125s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_BOUNDARY_LC         0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_BOUNDARY_NP2        Content-Type =~ /boundary=".*_NextPart_.*_NextPart_/
describe  SARE_BOUNDARY_NP2        Content type boundary used in spam and viruses
score     SARE_BOUNDARY_NP2        4.000
#stype    SARE_BOUNDARY_NP2        vbg
#hist     SARE_BOUNDARY_NP2        Created by Bob Menschel May 31 2004
#hist     SARE_BOUNDARY_NP2        Bugzilla entry 3861, Oct 03 2004
#counts   SARE_BOUNDARY_NP2        4s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
#max      SARE_BOUNDARY_NP2        1118s/0h of 68491 corpus (41115s/27376h RM) 09/18/04
#counts   SARE_BOUNDARY_NP2        7s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#max      SARE_BOUNDARY_NP2        37s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
#counts   SARE_BOUNDARY_NP2        0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_BOUNDARY_NP2        0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_BOUNDARY_NP2        0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

#####################################################################################
#         SARE From Rules 
########  ######################   ##################################################

header    SARE_FROM_AST            From =~ /<\*\@.{1,50}\..{1,3}/
describe  SARE_FROM_AST            Invalid character in email address
score     SARE_FROM_AST            0.666
#hist     SARE_FROM_AST            Originally submitted by Fred Tarasevicius
#counts   SARE_FROM_AST            1s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_FROM_AST            20s/0h of 89541 corpus (67467s/22074h RM) 05/28/04
#counts   SARE_FROM_AST            0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
#counts   SARE_FROM_AST            0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_FROM_AST            0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_FROM_AST            0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_FROM_CAPS_MSN       From =~ /"[^"]+" <[A-Z]+\@msn.com>/   # no /i 
describe  SARE_FROM_CAPS_MSN       Ratware all-caps MSN from address
score     SARE_FROM_CAPS_MSN       0.759
#ham      SARE_FRMO_CAPS_MSN       verified (3)
#hist     SARE_FROM_CAPS_MSN       Created by Bob Menschel May 15 2004
#counts   SARE_FROM_CAPS_MSN       173s/6h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_FROM_CAPS_MSN       421s/0h of 85084 corpus (62489s/22595h RM) 06/08/04
#counts   SARE_FROM_CAPS_MSN       48s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_FROM_CAPS_MSN       102s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
#counts   SARE_FROM_CAPS_MSN       6s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#max      SARE_FROM_CAPS_MSN       59s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_FROM_CAPS_MSN       29s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
#max      SARE_FROM_CAPS_MSN       51s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_FROM_CAPS_MSN       0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
	
header    SARE_FROM_DRUGS2         From =~ /\bsoma\b/i
describe  SARE_FROM_DRUGS2         From a drug
score     SARE_FROM_DRUGS2         0.754
#ham      SARE_FRMO_DRUGS2         verified (3) 
#hist     SARE_FROM_DRUGS2         Bob Menschel June 25 2005; ham email from userid = soma
#counts   SARE_FROM_DRUGS2         79s/3h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_FROM_DRUGS2         2s/0h of 6924 corpus (1403s/5521h ft) 07/27/05
#counts   SARE_FROM_DRUGS2         62s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#counts   SARE_FROM_DRUGS2         0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05

header    SARE_FROM_DVDCOPY        From =~ m'(?:DVD.*cop[iy]|\bdvd\b)'i
describe  SARE_FROM_DVDCOPY        From DVD abuse address
score     SARE_FROM_DVDCOPY        0.630
#ham      SARE_FROM_DVDCOPY        Columbia House DVD Club <columbiahouse@mail.columbiahouse.com>
#hist     SARE_FROM_DVDCOPY        Created by Bob Menschel Sep 04 2004
#counts   SARE_FROM_DVDCOPY        243s/28h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_FROM_DVDCOPY        24s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_FROM_DVDCOPY        31s/0h of 44754 corpus (16523s/28231h JH-SA3.0rc1) 09/06/04
#counts   SARE_FROM_DVDCOPY        98s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#counts   SARE_FROM_DVDCOPY        24s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#counts   SARE_FROM_DVDCOPY        0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    FROM_BLANK_NAME          From =~ /(?:\s|^)"" <\S+>/i  # SA 3.1.0
header    __SARE_FROM_NONAME       From =~ /"" ?</
meta      SARE_FROM_NONAME         __SARE_FROM_NONAME && !FROM_BLANK_NAME
score     SARE_FROM_NONAME         0.714
#hist     SARE_FROM_NONAME         Created by Fred Tarasevicius 
#overlap  SARE_FROM_NONAME         SARE rule catches spam missed by SA rule. Use meta to avoid duplication
#counts   SARE_FROM_NONAME         371s/12h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_FROM_NONAME         0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
#counts   SARE_FROM_NONAME         0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05

header    SARE_FROM_SPAM_DOMN0     From =~ /\b(?:(?:peo\d|postalbureau|startremodeling)\.com)/i
describe  SARE_FROM_SPAM_DOMN0     From address suggests this is spam
score     SARE_FROM_SPAM_DOMN0     0.555
#ham      SARE_FROM_SPAM_DOMN0     confirmed: 1 yahoo.net, perhaps a user's error
#hist     SARE_FROM_SPAM_DOMN0     RM_fa_PeoCom, RM_fa_PostalBur
#hist     SARE_FROM_SPAM_DOMN0     Moved from file 0 to 1 May 2005
#counts   SARE_FROM_SPAM_DOMN0     1s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_FROM_SPAM_DOMN0     36s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
#counts   SARE_FROM_SPAM_DOMN0     0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
#max      SARE_FROM_SPAM_DOMN0     27s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
#counts   SARE_FROM_SPAM_DOMN0     0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#max      SARE_FROM_SPAM_DOMN0     5s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_FROM_SPAM_DOMN0     0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_FROM_SPAM_DOMN0     0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_FROM_SPAM_DOMN0Y    From =~ /\byahoo\.net/i
describe  SARE_FROM_SPAM_DOMN0Y    From address suggests this is spam
score     SARE_FROM_SPAM_DOMN0Y    0.555
#ham      SARE_FROM_SPAM_DOMN0Y    confirmed: 1 yahoo.net, perhaps a user's error
#counts   SARE_FROM_SPAM_DOMN0Y    1s/1h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_FROM_SPAM_DOMN0Y    36s/0h of 114271 corpus (81068s/33203h RM) 01/15/05

header    __SARE_FROM_SPAM_MONY1   From =~ /money.*\@/i
header    __SARE_FROM_SPAM_MONY2   From =~ /money\S*\@/i
meta      SARE_FROM_SPAM_MONEY     __SARE_FROM_SPAM_MONY2
describe  SARE_FROM_SPAM_MONEY     From address suggests this is spam
score     SARE_FROM_SPAM_MONEY     0.866
#ham      SARE_FROM_SPAM_MONEY     confirmed (1) 
#addsto   SARE_FROM_SPAM_MONEY     SARE_FROM_SPAM_MONEY2  
#hist     SARE_FROM_SPAM_MONEY     RM_fw_Money. Meta created Aug 20 2004 to improve scoring.
#counts   SARE_FROM_SPAM_MONEY     249s/5h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_FROM_SPAM_MONEY     4s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_FROM_SPAM_MONEY     31s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#counts   SARE_FROM_SPAM_MONEY     33s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#counts   SARE_FROM_SPAM_MONEY     18s/0h of 6924 corpus (1403s/5521h ft) 07/27/05

header    __SARE_FROM_SPAM_MONY1   From =~ /money.*\@/i
header    __SARE_FROM_SPAM_MONY2   From =~ /money\S*\@/i
meta      SARE_FROM_SPAM_MONEY2    __SARE_FROM_SPAM_MONY1 && !__SARE_FROM_SPAM_MONY2
describe  SARE_FROM_SPAM_MONEY2    From address suggests this is spam
score     SARE_FROM_SPAM_MONEY2    0.741
#ham      SARE_FROM_SPAM_MONEY2    Valid end-users with "money" in their display name
#counts   SARE_FROM_SPAM_MONEY2    290s/7h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_FROM_SPAM_MONEY2    1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_FROM_SPAM_MONEY2    62s/3h of 47809 corpus (43224s/4585h MY) 07/27/05
#counts   SARE_FROM_SPAM_MONEY2    12s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#counts   SARE_FROM_SPAM_MONEY2    2s/0h of 7500 corpus (1767s/5733h ft) 09/18/05

header    SARE_FROM_SPAM_NAME0     From =~ /(?:Direct Marketing|FreeOffers|FunBenefits|salestonight|WESTEC SALES|\bWSEAS\b)/i
describe  SARE_FROM_SPAM_NAME0     From address suggests this is spam
score     SARE_FROM_SPAM_NAME0     3.333
#stype    SARE_FROM_SPAM_NAME0     spamg
#hist     SARE_FROM_SPAM_NAME0     COMBINED.FROM and other sources
#counts   SARE_FROM_SPAM_NAME0     0s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_FROM_SPAM_NAME0     369s/0h of 85084 corpus (62489s/22595h RM) 06/08/04
#counts   SARE_FROM_SPAM_NAME0     0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
#counts   SARE_FROM_SPAM_NAME0     0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_FROM_SPAM_NAME0     0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_FROM_SPAM_NAME0     0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_FROM_SPAM_PL1       From =~ /\@tpnet\.pl\b/
describe  SARE_FROM_SPAM_PL1       A lot of spam comes from here
score     SARE_FROM_SPAM_PL1       0.500
#stype    SARE_FRMO_SPAM_PL1       max:0.5 # possible valid ISP in Poland
#hist     SARE_FROM_SPAM_PL1       Loren Wilton, Feb 21 2005
#counts   SARE_FROM_SPAM_PL1       1s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_FROM_SPAM_PL1       26s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
#counts   SARE_FROM_SPAM_PL1       0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
#counts   SARE_FROM_SPAM_PL1       6s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_FROM_SPAM_PL1       0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_FROM_SPAM_PL1       1s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_FROM_SPAM_PL1       0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_FROM_SPAM_WORD2     From =~ /\b(?:^high.?speed|interacial)\b/i
describe  SARE_FROM_SPAM_WORD2     From address suggests this is spam
score     SARE_FROM_SPAM_WORD2     0.555
#stype    SARE_FRM_SPAM_WORD2      spamp
#hist     SARE_FROM_SPAM_WORD2     COMBINED.FROM and other sources
#counts   SARE_FROM_SPAM_WORD2     9s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_FROM_SPAM_WORD2     0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
#counts   SARE_FROM_SPAM_WORD2     0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_FROM_SPAM_WORD2     0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

#####################################################################################
#         SARE From Rules -- Emails coming from free webmail accounts
#         Since spam from these can vary depending upon country of origin, 
#         country of destination, policies, and enforcement of policies, 
#         most of these are kept as separate rules rather than combined. 
########  ######################   ##################################################

header    SARE_FREE_WEBM_BIGMAIL   From =~ /\bbigmailbox\.com/i
describe  SARE_FREE_WEBM_BIGMAIL   Sender used free email account - may be spammer
score     SARE_FREE_WEBM_BIGMAIL   0.650
#counts   SARE_FREE_WEBM_BIGMAIL   1s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_FREE_WEBM_BIGMAIL   13s/0h of 125163 corpus (104972s/20191h) 03/28/04
#counts   SARE_FREE_WEBM_BIGMAIL   0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
#counts   SARE_FREE_WEBM_BIGMAIL   4s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_FREE_WEBM_BIGMAIL   0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_FREE_WEBM_BIGMAIL   0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_FREE_WEBM_FrVoila   From =~ /\bvoila\.fr/i
describe  SARE_FREE_WEBM_FrVoila   Sender used free email account - may be spammer
score     SARE_FREE_WEBM_FrVoila   0.644
#ham      SARE_FREE_WEBM_FrVoila   confirmed: 1
#counts   SARE_FREE_WEBM_FrVoila   30s/1h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_FREE_WEBM_FrVoila   40s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
#counts   SARE_FREE_WEBM_FrVoila   2s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_FREE_WEBM_FrVoila   0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#max      SARE_FREE_WEBM_FrVoila   3s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_FREE_WEBM_FrVoila   0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_FREE_WEBM_FrVoila   0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_FREE_WEBM_Jpop      From =~ /\bjpopmail\.com/i 
describe  SARE_FREE_WEBM_Jpop      Sender used free email account - may be spammer 
score     SARE_FREE_WEBM_Jpop      0.944
#counts   SARE_FREE_WEBM_Jpop      1s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
#max      SARE_FREE_WEBM_Jpop      66s/0h of 125163 corpus (104972s/20191h) 03/28/04
#counts   SARE_FREE_WEBM_Jpop      1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_FREE_WEBM_Jpop      2s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#max      SARE_FREE_WEBM_Jpop      2s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_FREE_WEBM_Jpop      0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_FREE_WEBM_Jpop      1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_FREE_WEBM_Jpop      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_FREE_WEBM_MailD     From =~ /mail\d{1,3}\.com/i
describe  SARE_FREE_WEBM_MailD     Sender used free email account - may be spammer
score     SARE_FREE_WEBM_MailD     1.666
#ham      SARE_FREE_WEBM_MailD     questionable
#counts   SARE_FREE_WEBM_MailD     2051s/4h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_FREE_WEBM_MailD     21s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_FREE_WEBM_MailD     27s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_FREE_WEBM_MailD     75s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
#counts   SARE_FREE_WEBM_MailD     5s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#counts   SARE_FREE_WEBM_MailD     0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_FREE_WEBM_Mailexc   From =~ /\bmailexcite\.com/i
describe  SARE_FREE_WEBM_Mailexc   Sender used free email account - may be spammer 
score     SARE_FREE_WEBM_Mailexc   0.215
#ham      SARE_FREE_WEMB_Mailexc   verified (6)
#counts   SARE_FREE_WEBM_Mailexc   21s/7h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_FREE_WEBM_Mailexc   44s/0h of 125163 corpus (104972s/20191h) 03/28/04
#counts   SARE_FREE_WEBM_Mailexc   5s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_FREE_WEBM_Mailexc   3s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
#max      SARE_FREE_WEBM_Mailexc   7s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_FREE_WEBM_Mailexc   2s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#counts   SARE_FREE_WEBM_Mailexc   0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_FREE_WEBM_NETCITY   From =~ /\@netcity\w+\.com/i
describe  SARE_FREE_WEBM_NETCITY   Maybe spammer with free email
score     SARE_FREE_WEBM_NETCITY   1.111
#stype    SARE_FREE_WEBM_NETCITY   spamp
#hist     SARE_FREE_WEBM_NETCITY   Created by Bob Menschel Aug 20 2004
#counts   SARE_FREE_WEBM_NETCITY   4s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_FREE_WEBM_NETCITY   12s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
#counts   SARE_FREE_WEBM_NETCITY   4s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_FREE_WEBM_NETCITY   2s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_FREE_WEBM_NETCITY   0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_FREE_WEBM_NETCITY   0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_FREE_WEBM_NetFs     From =~ /\bfsmail\.net/i
describe  SARE_FREE_WEBM_NetFs     Sender used free email account - may be spammer
score     SARE_FREE_WEBM_NetFs     0.685
#ham      SARE_FREE_WEBM_NetFs     confirmed (1)
#counts   SARE_FREE_WEBM_NetFs     70s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_FREE_WEBM_NetFs     129s/0h of 125163 corpus (104972s/20191h) 03/28/04
#counts   SARE_FREE_WEBM_NetFs     0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
#counts   SARE_FREE_WEBM_NetFs     0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#max      SARE_FREE_WEBM_NetFs     8s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_FREE_WEBM_NetFs     0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_FREE_WEBM_NetFs     0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_FREE_WEBM_NetSafe   From =~ /\bsafe-mail\.net/i
describe  SARE_FREE_WEBM_NetSafe   Sender used free email account - may be spammer
score     SARE_FREE_WEBM_NetSafe   0.714
#counts   SARE_FREE_WEBM_NetSafe   27s/1h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_FREE_WEBM_NetSafe   28s/1h of 283497 corpus (129933s/153564h RM) 03/08/05
#counts   SARE_FREE_WEBM_NetSafe   2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_FREE_WEBM_NetSafe   9s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
#counts   SARE_FREE_WEBM_NetSafe   19s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
#counts   SARE_FREE_WEBM_NetSafe   3s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#counts   SARE_FREE_WEBM_NetSafe   6s/0h of 5653 corpus (1019s/4634h ft) 06/04/05

header    SARE_FREE_WEBM_Netster   From =~ /\bnetster\.com/i
describe  SARE_FREE_WEBM_Netster   Sender used free email account - may be spammer
score     SARE_FREE_WEBM_Netster   0.889
#ham      SARE_FREE_WEBM_Netster   confirmed (1)
#counts   SARE_FREE_WEBM_Netster   6s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_FREE_WEBM_Netster   43s/0h of 125163 corpus (104972s/20191h) 03/28/04
#counts   SARE_FREE_WEBM_Netster   0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#max      SARE_FREE_WEBM_Netster   2s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
#counts   SARE_FREE_WEBM_Netster   3s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#max      SARE_FREE_WEBM_Netster   12s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_FREE_WEBM_Netster   0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_FREE_WEBM_Netster   3s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_FREE_WEBM_Netster   0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_FREE_WEBM_PlTenbi   From =~ /\btenbit\.pl/i
describe  SARE_FREE_WEBM_PlTenbi   Sender used free email account - may be spammer 
score     SARE_FREE_WEBM_PlTenbi   1.056 
#counts   SARE_FREE_WEBM_PlTenbi   2s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_FREE_WEBM_PlTenbi   83s/0h of 115937 corpus (94614s/21323h) 04/29/04
#counts   SARE_FREE_WEBM_PlTenbi   4s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_FREE_WEBM_PlTenbi   0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#max      SARE_FREE_WEBM_PlTenbi   2s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_FREE_WEBM_PlTenbi   0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#max      SARE_FREE_WEBM_PlTenbi   1s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_FREE_WEBM_PlTenbi   0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_FREE_WEBM_ZCom05    From =~ /\b(?:redwhitearmy|emailaccount)\.com/i
describe  SARE_FREE_WEBM_ZCom05    Sender used free email account - may be spammer
score     SARE_FREE_WEBM_ZCom05    0.981
#ham      SARE_FREE_WEBM_ZCom05    confirmed (1)
#counts   SARE_FREE_WEBM_ZCom05    183s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_FREE_WEBM_ZCom05    7s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#max      SARE_FREE_WEBM_ZCom05    9s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
#counts   SARE_FREE_WEBM_ZCom05    26s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
#max      SARE_FREE_WEBM_ZCom05    54s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_FREE_WEBM_ZCom05    14s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#counts   SARE_FREE_WEBM_ZCom05    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_FREE_WEBM_Whoever   From =~ /\bWhoever\.com/i
describe  SARE_FREE_WEBM_Whoever   Sender used free email account - may be spammer 
score     SARE_FREE_WEBM_Whoever   0.700
#counts   SARE_FREE_WEBM_Whoever   2s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_FREE_WEBM_Whoever   18s/0h of 85901 corpus (63701s/22200h RM) 06/05/04
#counts   SARE_FREE_WEBM_Whoever   2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_FREE_WEBM_Whoever   5s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_FREE_WEBM_Whoever   0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#max      SARE_FREE_WEBM_Whoever   1s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_FREE_WEBM_Whoever   0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_FREE_WEBM_Whoever   0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_FREE_WEBM_WOWMAIL   From =~ /\@wowmail\.com/i
describe  SARE_FREE_WEBM_WOWMAIL   Sender used free email account - may be spammer 
score     SARE_FREE_WEBM_WOWMAIL   0.767
#hist     SARE_FREE_WEBM_WOWMAIL   Created by Bob Menschel June 16 2004
#counts   SARE_FREE_WEBM_WOWMAIL   0s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_FREE_WEBM_WOWMAIL   18s/0h of 92181 corpus (67808s/24373h RM) 07/18/04
#counts   SARE_FREE_WEBM_WOWMAIL   2s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#max      SARE_FREE_WEBM_WOWMAIL   7s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_FREE_WEBM_WOWMAIL   7s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_FREE_WEBM_WOWMAIL   1s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_FREE_WEBM_WOWMAIL   6s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_FREE_WEBM_WOWMAIL   0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_FREE_WEBM_ZCom01    From =~ /\b(?:sify|superonline|coolgoose)\.com/i
describe  SARE_FREE_WEBM_ZCom01    Sender used free email account - may be spammer
score     SARE_FREE_WEBM_ZCom01    0.854
#counts   SARE_FREE_WEBM_ZCom01    150s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_FREE_WEBM_ZCom01    4s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_FREE_WEBM_ZCom01    3s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#max      SARE_FREE_WEBM_ZCom01    5s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_FREE_WEBM_ZCom01    4s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_FREE_WEBM_ZCom01    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_FREE_WEBM_ZCom02    From =~ /\b(?:macmail|emailacc)\.com/i
describe  SARE_FREE_WEBM_ZCom02    Sender used free email account - may be spammer
score     SARE_FREE_WEBM_ZCom02    0.682
#ham      SARE_FREE_WEBM_ZCom02    Confirmed: macmail.com(2) 
#counts   SARE_FREE_WEBM_ZCom02    122s/5h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_FREE_WEBM_ZCom02    6s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#max      SARE_FREE_WEBM_ZCom02    10s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
#counts   SARE_FREE_WEBM_ZCom02    5s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_FREE_WEBM_ZCom02    4s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#counts   SARE_FREE_WEBM_ZCom02    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_FREE_WEBM_ZCom03    From =~ /\b(?:pakistanmail|prontomail)\.com/i
describe  SARE_FREE_WEBM_ZCom03    Sender used free email account - may be spammer
score     SARE_FREE_WEBM_ZCom03    0.622
#ham      SARE_FREE_WEBM_ZCom03    valid email bounce messages
#hist     SARE_FREE_WEBM_ZCom03    Removed mail2world.com since it hit ham. 
#counts   SARE_FREE_WEBM_ZCom03    139s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_FREE_WEBM_ZCom03    13s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_FREE_WEBM_ZCom03    18s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_FREE_WEBM_ZCom03    8s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#counts   SARE_FREE_WEBM_ZCom03    1s/0h of 5653 corpus (1019s/4634h ft) 06/04/05

header    SARE_FREE_WEBM_ZCom03B   From =~ /\bmail2world\.com/i
describe  SARE_FREE_WEBM_ZCom03B   Sender used free email account - may be spammer
score     SARE_FREE_WEBM_ZCom03B   0.622
#ham      SARE_FREE_WEBM_ZCom03B   valid email bounce messages
#counts   SARE_FREE_WEBM_ZCom03B   139s/14h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_FREE_WEBM_ZCom03B   13s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_FREE_WEBM_ZCom03B   18s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_FREE_WEBM_ZCom03B   8s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#counts   SARE_FREE_WEBM_ZCom03B   1s/0h of 5653 corpus (1019s/4634h ft) 06/04/05

header    SARE_FREE_WEBM_ZCom04    From =~ /\b(?:luxmail|olemail|sailormoon)\.com/i
describe  SARE_FREE_WEBM_ZCom04    Sender used free email account - may be spammer
score     SARE_FREE_WEBM_ZCom04    0.711
#counts   SARE_FREE_WEBM_ZCom04    3s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_FREE_WEBM_ZCom04    19s/0h of 97268 corpus (79437s/17831h RM) 01/24/04
#counts   SARE_FREE_WEBM_ZCom04    1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_FREE_WEBM_ZCom04    7s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_FREE_WEBM_ZCom04    0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_FREE_WEBM_ZCom04    1s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_FREE_WEBM_ZCom04    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_FREE_WEBM_ZCom06    From =~ /\b(?:clickitmail|deskpilot|killergreenmail|lancsmail|lovecat)\.com/i
describe  SARE_FREE_WEBM_ZCom06    Sender used free email account - may be spammer
score     SARE_FREE_WEBM_ZCom06    0.755
#counts   SARE_FREE_WEBM_ZCom06    23s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_FREE_WEBM_ZCom06    9s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_FREE_WEBM_ZCom06    2s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
#max      SARE_FREE_WEBM_ZCom06    5s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_FREE_WEBM_ZCom06    2s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#counts   SARE_FREE_WEBM_ZCom06    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_FREE_WEBM_ZCom07    From =~ /\b(?:bolt|amnestymail)\.com/i
describe  SARE_FREE_WEBM_ZCom07    Sender used free email account - may be spammer
score     SARE_FREE_WEBM_ZCom07    0.756  
#counts   SARE_FREE_WEBM_ZCom07    25s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_FREE_WEBM_ZCom07    5s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_FREE_WEBM_ZCom07    14s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_FREE_WEBM_ZCom07    3s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_FREE_WEBM_ZCom07    5s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_FREE_WEBM_ZCom07    1s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_FREE_WEBM_ZZa001    From =~ /\@702mail\.co\.za/i
describe  SARE_FREE_WEBM_ZZa001    Sender used free email account - may be spammer 
score     SARE_FREE_WEBM_ZZa001    0.783
#counts   SARE_FREE_WEBM_ZZa001    21s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_FREE_WEBM_ZZa001    38s/0h of 85901 corpus (63701s/22200h RM) 06/05/04
#counts   SARE_FREE_WEBM_ZZa001    0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
#counts   SARE_FREE_WEBM_ZZa001    0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#max      SARE_FREE_WEBM_ZZa001    3s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_FREE_WEBM_ZZa001    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_FREE_WEBM_ZZa001    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

body      __SARE_FREE_WEBM_SERV1   /Mail sent from WebMail service/i
body      __SARE_FREE_WEBM_SERV2   /spedita dal servizio WebMail/i
body      __SARE_FREE_WEBM_SERV3   /Mail enviado desde el servicio de  WebMail/i
body      __SARE_FREE_WEBM_SERV4   /Mail inviata dal WebMail service/i
body      __SARE_FREE_WEBM_SERV5   /le module WebMail des service/i
body      __SARE_FREE_WEBM_SERV6   /Servizio WebMail offerto/i
meta      SARE_FREE_WEBM_SERV      (__SARE_FREE_WEBM_SERV1 || __SARE_FREE_WEBM_SERV2 || __SARE_FREE_WEBM_SERV3 || __SARE_FREE_WEBM_SERV4 || __SARE_FREE_WEBM_SERV5 || __SARE_FREE_WEBM_SERV6)
describe  SARE_FREE_WEBM_SERV      Sent from Webmail server
score     SARE_FREE_WEBM_SERV      1.374
#ham      SARE_FREE_WEBM_SERV      confirmed (several)
#hist     SARE_FREE_WEBM_SERV      Kevin Peuhkurinen, May 2005
#counts   SARE_FREE_WEBM_SERV      1104s/7h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_FREE_WEBM_SERV      3s/0h of 5653 corpus (1019s/4634h ft) 06/04/05
#counts   SARE_FREE_WEBM_SERV      58s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#counts   SARE_FREE_WEBM_SERV      9s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_FREE_WEBM_SERV      4s/0h of 10590 corpus (5819s/4771h CT) 07/26/05

#####################################################################################
#         SARE Message-ID rules
########  ######################   ##################################################

header    __SARE_RECV_LOCALHOST    Received =~ /LOCALHOST/
header    __SARE_MSGID_D1D1D2D16   MESSAGEID =~ /<\d\.\d\.\d\d\.\d{16}[a-f0-9]{6}@/
meta      SARE_MSGID_D1D1D2D16     !__SARE_RECV_LOCALHOST && __SARE_MSGID_D1D1D2D16
describe  SARE_MSGID_D1D1D2D16     Message-ID has ratware pattern (9.9.99.9999999hex@
score     SARE_MSGID_D1D1D2D16     1.666
#counts   SARE_MSGID_D1D1D2D16     11s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_MSGID_D1D1D2D16     590s/0h of 115439 corpus (94250s/21189h) 04/30/04
#counts   SARE_MSGID_D1D1D2D16     46s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_MSGID_D1D1D2D16     0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_MSGID_D1D1D2D16     1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#max      SARE_MSGID_D1D1D2D16     1s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_MSGID_D1D1D2D16     0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_MSGID_D5D7          MESSAGEID =~ /<\d{5}\.\d{7}\@/
describe  SARE_MSGID_D5D7          Message-ID has ratware pattern (99999.9999999@)
score     SARE_MSGID_D5D7          0.622
#counts   SARE_MSGID_D5D7          0s/0h of 274235 corpus (109066s/165169h RM) 05/15/05
#max      SARE_MSGID_D5D7          4s/1h of 114238 corpus (81067s/33171h RM) 01/15/05
#counts   SARE_MSGID_D5D7          11s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_MSGID_D5D7          1s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#max      SARE_MSGID_D5D7          25s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_MSGID_D5D7          0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_MSGID_D5D7          0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    __SARE_RECV_LOCALHOST    Received =~ /LOCALHOST/
header    __SARE_MSGID_DDDASH      MESSAGEID =~ /<\d\d?[\$-]/
meta      SARE_MSGID_DDDASH        __SARE_MSGID_DDDASH && !__SARE_RECV_LOCALHOST
describe  SARE_MSGID_DDDASH        Message-ID has ratware pattern (9-, 9$, 99-)
score     SARE_MSGID_DDDASH        1.666
#counts   SARE_MSGID_DDDASH        3039s/8h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_MSGID_DDDASH        10s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_MSGID_DDDASH        114s/0h of 38374 corpus (14893s/23481h JH-SA3.0rc1) 08/18/04
#counts   SARE_MSGID_DDDASH        1s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#counts   SARE_MSGID_DDDASH        3s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_MSGID_DDDASH        3s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_MSGID_DDDASH        0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_MSGID_LONG50        MESSAGEID =~ /[a-z0-9\$]{50}/
describe  SARE_MSGID_LONG50        Exceedingly long message id
score     SARE_MSGID_LONG50        0.726
#ihst     SARE_MSGID_LONG50        Created by Frederic Tarasevicius
#counts   SARE_MSGID_LONG50        448s/11h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_MSGID_LONG50        575s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
#counts   SARE_MSGID_LONG50        14s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_MSGID_LONG50        28s/4h of 47809 corpus (43224s/4585h MY) 07/27/05
#max      SARE_MSGID_LONG50        38s/2h of 47283 corpus (43206s/4077h MY) 06/05/05
#counts   SARE_MSGID_LONG50        0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#max      SARE_MSGID_LONG50        2s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_MSGID_LONG50        0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_MSGID_QMAIL1        MESSAGEID =~ /^<.*[a-z].*\.qmail\@.*>/
describe  SARE_MSGID_QMAIL1        Contains spoofing message id
score     SARE_MSGID_QMAIL1        3.333
#stype    SARE_MSGID_QMAIL1        spamgg
#hist     SARE_MSGID_QMAIL1        David Hooton, Fri, 11 Jun 2004
#counts   SARE_MSGID_QMAIL1        6s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_MSGID_QMAIL1        31s/0h of 68491 corpus (41115s/27376h RM) 09/18/04
#counts   SARE_MSGID_QMAIL1        0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#max      SARE_MSGID_QMAIL1        12s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_MSGID_QMAIL1        1s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_MSGID_QMAIL1        9s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
#counts   SARE_MSGID_QMAIL1        0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_MSGID_QMAIL1        0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_MSGID_RATWARE2      MESSAGEID =~ /\<\d{10,15}\.\d{18,40}\@[a-z]+\>/          # no /i!
describe  SARE_MSGID_RATWARE2      Message-Id is <digits.digits@letters>
score     SARE_MSGID_RATWARE2      0.683
#hist     SARE_MSGID_RATWARE2      Loren Wilton Sat, 3 Apr 2004 20:29:32 -0800
#matches  SARE_MSGID_RATWARE2      numbers.numbers@letters
#counts   SARE_MSGID_RATWARE2      32s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_MSGID_RATWARE2      1640s/0h of 115925 corpus (94616s/21309h) 05/01/04
#counts   SARE_MSGID_RATWARE2      33s/2h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_MSGID_RATWARE2      66s/2h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
#counts   SARE_MSGID_RATWARE2      9s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
#max      SARE_MSGID_RATWARE2      31s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_MSGID_RATWARE2      0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#max      SARE_MSGID_RATWARE2      3s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_MSGID_RATWARE2      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_MSGID_SHORT         MESSAGEID =~ /^.{1,6}$/
describe  SARE_MSGID_SHORT         Message ID is too short to be valid. 
score     SARE_MSGID_SHORT         1.283
#hist     SARE_MSGID_SHORT         RM_hm_ShortMsgid6
#counts   SARE_MSGID_SHORT         181s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_MSGID_SHORT         191s/0h of 115925 corpus (94616s/21309h RM) 05/01/04
#counts   SARE_MSGID_SHORT         34s/1h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_MSGID_SHORT         40s/1h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_MSGID_SHORT         43s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#max      SARE_MSGID_SHORT         68s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_MSGID_SHORT         4s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_MSGID_SHORT         9s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_MSGID_SHORT         0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

#####################################################################################
#         SARE Received Header Rules
########  ######################   ##################################################

header    SARE_HELO_EQ_DSL_3       X-Spam-Relays-Untrusted =~ /helo=dsl-/
score     SARE_HELO_EQ_DSL_3       0.752
#ham      SARE_HELO_EQ_DSL_3       confirmed (several)
#hist     SARE_HELO_EQ_DSL_3       Frederic Tarasevicius, Feb 22 2005
#counts   SARE_HELO_EQ_DSL_3       529s/18h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HELO_EQ_DSL_3       143s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_HELO_EQ_DSL_3       149s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
#counts   SARE_HELO_EQ_DSL_3       35s/1h of 47809 corpus (43224s/4585h MY) 07/27/05
#max      SARE_HELO_EQ_DSL_3       42s/1h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_HELO_EQ_DSL_3       34s/1h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_HELO_EQ_DSL_3       68s/1h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HELO_EQ_DSL_3       3s/0h of 6924 corpus (1403s/5521h ft) 07/27/05

header    SARE_HELO_EQ_PPPOE       X-Spam-Relays-Untrusted =~ /helo=pppoe-\d{2,3}-\d{1,3}-\d{1,3}-\d{1,3}/i
score     SARE_HELO_EQ_PPPOE       0.555
#stype    SARE_HELO_EQ_PPPOE       spamp
#hist     SARE_HELO_EQ_PPPOE       Frederic Tarasevicius, Feb 22 2005
#counts   SARE_HELO_EQ_PPPOE       3s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HELO_EQ_PPPOE       0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
#counts   SARE_HELO_EQ_PPPOE       0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
#counts   SARE_HELO_EQ_PPPOE       0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HELO_EQ_PPPOE       0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HELO_YAHOO          Received =~ /helo=yahoo\.com/i
describe  SARE_HELO_YAHOO          Received header has spamsign
score     SARE_HELO_YAHOO          1.666
#ham      SARE_HELO_YAHOO          confirmed (6), generated by X-Mailer: Apple Mail (2.552)
#hist     SARE_HELO_YAHOO          Created by Bob Menschel Oct 26 2004
#counts   SARE_HELO_YAHOO          663s/1h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HELO_YAHOO          0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HELO_YAHOO          0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_HELO_YAHOO          1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HELO_YAHOO          0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_8BIT_RECV      Received =~ /[\x80-\xff]{3,}/
describe  SARE_HEAD_8BIT_RECV      High-ascii characters found in strange header
score     SARE_HEAD_8BIT_RECV      1.666
#ham      SARE_HEAD_8BIT_RECV      verified (1) 
#hist     SARE_HEAD_8BIT_RECV      From Bugzilla # 2243
#counts   SARE_HEAD_8BIT_RECV      1029s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HEAD_8BIT_RECV      10s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_HEAD_8BIT_RECV      0s/0h of 26190 corpus (22790s/3400h MY) 02/15/05
#counts   SARE_HEAD_8BIT_RECV      1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_8BIT_RECV      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_FEP5           Received =~ /by fep5\./i
describe  SARE_RECV_FEP5           Message contains known spam format
score     SARE_RECV_FEP5           1.666
#ham      SARE_RECV_FEP5           verified (1) 
#counts   SARE_RECV_FEP5           527s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_RECV_FEP5           528s/0h of 280812 corpus (109490s/171322h RM) 05/05/05
#counts   SARE_RECV_FEP5           7s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
#counts   SARE_RECV_FEP5           208s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#max      SARE_RECV_FEP5           479s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
#counts   SARE_RECV_FEP5           168s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_RECV_FEP5           195s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_FEP5           6s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_FREESERVE      Received =~ /\bfreeserve\.com/
describe  SARE_RECV_FREESERVE      spam passed through system used by spammers
score     SARE_RECV_FREESERVE      0.704
#ham      SARE_RECV_FREESERVE      confirmed (1)
#ham      SARE_RECV_FREESERVE      userid@hurrel.freeserve.co.uk, valid email sent to Yahoo groups list by subscriber
#counts   SARE_RECV_FREESERVE      77s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_FREESERVE      1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_RECV_FREESERVE      1s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_RECV_FREESERVE      0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_FREESERVE      1s/0h of 7500 corpus (1767s/5733h ft) 09/18/05

header    SARE_RECV_MDNETCOMBR     Received =~ /\bmdnet\.com\.br/
describe  SARE_RECV_MDNETCOMBR     Came through/fromsite used by spammer
score     SARE_RECV_MDNETCOMBR     0.756
#counts   SARE_RECV_MDNETCOMBR     2s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_RECV_MDNETCOMBR     33s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
#counts   SARE_RECV_MDNETCOMBR     3s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_RECV_MDNETCOMBR     0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_RECV_MDNETCOMBR     0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_MDNETCOMBR     0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_PATMEDIA       Received =~ /\bpatmedia\.net/i
describe  SARE_RECV_PATMEDIA       Passed through possible spammer relay or source
score     SARE_RECV_PATMEDIA       0.728
#stype    SARE_RECV_PATMEDIA       spamp
#hist     SARE_RECV_PATMEDIA       Created by Bob Menschel Aug 19 2004
#counts   SARE_RECV_PATMEDIA       47s/1h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_PATMEDIA       6s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_RECV_PATMEDIA       6s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_RECV_PATMEDIA       3s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_RECV_PATMEDIA       0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    __SARE_RECV_PORTHELOA    Received =~ /helo=\[\w+\]/i
header    __SARE_RECV_PORTHELOB    Received =~ /\(port=\d{4} helo=\[\w+\]\)/i
header    SARE_RECV_PORTHELO_1     Received =~ /from \[\d+\.\d+\.\d+\.\d+\] \(port=\d{4} helo=\[\w+\]\)/i
meta      SARE_RECV_PORTHELO_2     __SARE_RECV_PORTHELOB && !SARE_RECV_PORTHELO_1
meta      SARE_RECV_PORTHELO_3     __SARE_RECV_PORTHELOA && !__SARE_RECV_PORTHELOB && !SARE_RECV_PORTHELO_1
describe  SARE_RECV_PORTHELO_1     Apparent Spamsign in Received header
describe  SARE_RECV_PORTHELO_2     Apparent Spamsign in Received header
describe  SARE_RECV_PORTHELO_3     Apparent Spamsign in Received header
score     SARE_RECV_PORTHELO_1     2.666
score     SARE_RECV_PORTHELO_2     2.000
score     SARE_RECV_PORTHELO_3     1.666
#note     SARE_RECV_PORTHELO_1     As of June 8 2005, all three rules in this family hit identically.
#note     SARE_RECV_PORTHELO_1     We score them based on their "safety". 
#hist     SARE_RECV_PORTHELO_1     Loren Wilton, June 2005
#counts   SARE_RECV_PORTHELO_1     5201s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_PORTHELO_1     69s/0h of 55754 corpus (18581s/37173h JH-3.01) 06/10/05
#counts   SARE_RECV_PORTHELO_1     286s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#counts   SARE_RECV_PORTHELO_1     83s/1h of 7500 corpus (1767s/5733h ft) 09/18/05
#counts   SARE_RECV_PORTHELO_1     42s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#counts   SARE_RECV_PORTHELO_3     499s/0h of 689155 corpus (348140s/341015h RM) 09/18/05

header    SARE_RECV_RND_DATE       Received =~ /RND_DATE/i
describe  SARE_RECV_RND_DATE       Spam passed through iswest.net relay
score     SARE_RECV_RND_DATE       1.666  
#stype    SARE_RECV_RND_DATE       spamg
#counts   SARE_RECV_RND_DATE       1s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
#max      SARE_RECV_RND_DATE       9s/0h of 268479 corpus (127479s/141000h RM) 06/17/05
#counts   SARE_RECV_RND_DATE       0s/0h of 54072 corpus (16898s/37174h JH-3.01) 02/18/05
#counts   SARE_RECV_RND_DATE       1s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#counts   SARE_RECV_RND_DATE       0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_RND_DATE       0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_SKANOVA        Received =~ /\bskanova\.com/i
describe  SARE_RECV_SKANOVA        From or passed through spammer/unreliable domain
score     SARE_RECV_SKANOVA        0.741
#ham      SARE_RECV_SKANOVA        verified (several)
#hist     SARE_RECV_SKANOVA        Created by Bob Menschel Apr 03 2004
#counts   SARE_RECV_SKANOVA        197s/6h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_SKANOVA        18s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#counts   SARE_RECV_SKANOVA        15s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05
#counts   SARE_RECV_SKANOVA        4s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#counts   SARE_RECV_SKANOVA        0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_SPAM_DOMN02    Received =~ /\b(?:dsl\.telesp|speedyterra)\.(?:com|net)\.br/
describe  SARE_RECV_SPAM_DOMN02    Email passed through apparent spammer domain 
score     SARE_RECV_SPAM_DOMN02    1.666
#ham      SARE_RECV_SPAM_DOMN02    Confirmed (5)
#counts   SARE_RECV_SPAM_DOMN02    1953s/8h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_SPAM_DOMN02    138s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_RECV_SPAM_DOMN02    187s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
#counts   SARE_RECV_SPAM_DOMN02    64s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
#counts   SARE_RECV_SPAM_DOMN02    28s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_RECV_SPAM_DOMN02    44s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_SPAM_DOMN02    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_SPAM_DOMN04    Received =~ /\b(?:megared)\.(?:com|net)\.mx/
describe  SARE_RECV_SPAM_DOMN04    Email passed through apparent spammer domain 
score     SARE_RECV_SPAM_DOMN04    0.709
#ham      SARE_RECV_SPAM_DOMN04    verified (3) 
#counts   SARE_RECV_SPAM_DOMN04    244s/9h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_SPAM_DOMN04    29s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_RECV_SPAM_DOMN04    34s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_RECV_SPAM_DOMN04    3s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_RECV_SPAM_DOMN04    0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_RECV_SPAM_DOMN04    3s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_RECV_SPAM_DOMN04    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_SPAM_DOMN06    Received =~ /adsl.cust.tie.cl/i
describe  SARE_RECV_SPAM_DOMN06    Passed through possible spammer relay or source
score     SARE_RECV_SPAM_DOMN06    0.878 
#ham      SARE_RECV_SPAM_DOMN06    verified (1) 
#hist     SARE_RECV_SPAM_DOMN06    Created by Bob Menschel Jul 17 2004
#counts   SARE_RECV_SPAM_DOMN06    161s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_SPAM_DOMN06    7s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_RECV_SPAM_DOMN06    6s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
#counts   SARE_RECV_SPAM_DOMN06    0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_RECV_SPAM_DOMN06    2s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_RECV_SPAM_DOMN06    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_SPAM_DOMN0a    Received =~ /\b(?:cyberemailings|netmedia-corp|themailservers|ucanrecover|vnuemedia|winnerssweepstakes|wseas|www--directory)\.(?:com|net|org|info)/
describe  SARE_RECV_SPAM_DOMN0a    Email passed through apparent spammer domain 
score     SARE_RECV_SPAM_DOMN0a    1.666
#ham      SARE_RECV_SPAM_DOMN0a    218-162-39-132.dynamic.hinet.net, valid/appropriate UCE
#hist     SARE_RECV_SPAM_DOMN0a    freeserve.com removed May 16 2005
#counts   SARE_RECV_SPAM_DOMN0a    26s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_RECV_SPAM_DOMN0a    242s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
#counts   SARE_RECV_SPAM_DOMN0a    4s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_RECV_SPAM_DOMN0a    7s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_RECV_SPAM_DOMN0a    2s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_RECV_SPAM_DOMN0a    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_SPAM_DOMN0a    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_SPAM_DOMN0b    Received =~ /\bdynamic.hinet\.(?:com|net|org|info)/
describe  SARE_RECV_SPAM_DOMN0b    Email passed through apparent spammer domain 
score     SARE_RECV_SPAM_DOMN0b    1.666
#ham      SARE_RECV_SPAM_DOMN0b    confirmed (many)
#counts   SARE_RECV_SPAM_DOMN0b    4287s/20h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_SPAM_DOMN0b    40s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_RECV_SPAM_DOMN0b    59s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
#counts   SARE_RECV_SPAM_DOMN0b    31s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#counts   SARE_RECV_SPAM_DOMN0b    1s/0h of 5653 corpus (1019s/4634h ft) 06/04/05

header    SARE_RECV_SPEEDY_AR      Received =~ /\b(?:speedy)\.(?:com|net)\.ar/
describe  SARE_RECV_SPEEDY_AR      Email passed through apparent spammer domain 
score     SARE_RECV_SPEEDY_AR      1.154
#ham      SARE_RECV_SPEEDY_AR      From: "Hushport Admin" <postmaster@hushport.com>, Received: from nairobi (200-63-141-89.speedy.com.ar [200.63.141.89])
#counts   SARE_RECV_SPEEDY_AR      278s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_SPEEDY_AR      32s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_RECV_SPEEDY_AR      7s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#max      SARE_RECV_SPEEDY_AR      14s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
#counts   SARE_RECV_SPEEDY_AR      5s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_RECV_SPEEDY_AR      8s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_RECV_SPEEDY_AR      1s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_UK2NET2        Received =~ /\buk2\.net\b/i
describe  SARE_RECV_UK2NET2        Passed through possible spammer relay or source
score     SARE_RECV_UK2NET2        0.789
#hist     SARE_RECV_UK2NET2        Created by Bob Menschel Oct 01 2004
#counts   SARE_RECV_UK2NET2        29s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_UK2NET2        7s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_RECV_UK2NET2        8s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_RECV_UK2NET2        0s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#max      SARE_RECV_UK2NET2        2s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_RECV_UK2NET2        3s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#counts   SARE_RECV_UK2NET2        0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_VIRTUACOMBR    Received =~ /\bvirtua\.com\.br/
describe  SARE_RECV_VIRTUACOMBR    Came through/fromsite used by spammer
score     SARE_RECV_VIRTUACOMBR    0.680
#ham      SARE_RECV_VIRTUACOMBR    confirmed (4)
#hist     SARE_RECV_VIRTUACOMBR    RM_hr_VirtuaComBr
#counts   SARE_RECV_VIRTUACOMBR    882s/45h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_VIRTUACOMBR    20s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#counts   SARE_RECV_VIRTUACOMBR    104s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_RECV_VIRTUACOMBR    17s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_RECV_VIRTUACOMBR    37s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_VIRTUACOMBR    4s/0h of 5653 corpus (1019s/4634h ft) 06/04/05

#####################################################################################
#         SARE Received Header IP Address Rules
########  ######################   ##################################################

#eader    __SARE_RECV_BEZEQINT     Received =~ /\bbezeqint\.net/
header    __SARE_RECV_BEZEQINT1    Received =~ /\[212\.179\.13\.\d{1,3}\]/
header    __SARE_RECV_BEZEQINT2    Received =~ /\[212\.179\.(?:8\d|9[1-46-9]|10[0-6]|11[6-9]|12[89]|1[3-6]\d|17[0-36-9]|19[02-9]|2\d\d)\.\d{1,3}\]/
header    __SARE_RECV_BEZEQINT3    Received =~ /\[62\.219\.(?:4[89]|5[1-9]|[67]\d|11[2-9]|1[2-5]\d|189|192)\.\d{1,3}\]/
header    __SARE_RECV_BEZEQINT4    Received =~ /\[81\.218\.(?:\d{1,2}|1[01]\d|12[0-7]|13[2-9]|1[4-9]\d|2\d\d)\.\d{1,3}\]/
header    __SARE_RECV_BEZEQINT5    Received =~ /\[82\.80\.(?:\d|[1-5]\d|6[0-3]|12[89]|1[3-9]\d|2[01]\d|22[0-3])\.\d{1,3}\]/
header    __SARE_RECV_BEZEQINT6    Received =~ /\[82\.81\.(?:\d|\d\d|1[01]\d|12[0-7]|19[2-9]|2[01]\d|22[0-3])\.\d{1,3}\]/
meta      SARE_RECV_BEZEQINT_B     __SARE_RECV_BEZEQINT1 || __SARE_RECV_BEZEQINT2 || __SARE_RECV_BEZEQINT3 || __SARE_RECV_BEZEQINT4 || __SARE_RECV_BEZEQINT5 || __SARE_RECV_BEZEQINT6
describe  SARE_RECV_BEZEQINT_B     Came through/fromsite used by spammer
score     SARE_RECV_BEZEQINT_B     0.980
#ham      SARE_RECV_BEZEQINT_B     verified (4)
#hist     SARE_RECV_BEZEQINT_B     Created by Bob Menschel Jan 29 from data supplied by Bezeqint.net to replace SARE_RECV_BEZEQINT
#counts   SARE_RECV_BEZEQINT_B     494s/6h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_BEZEQINT_B     21s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_RECV_BEZEQINT_B     24s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_RECV_BEZEQINT_B     18s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_RECV_BEZEQINT_B     2s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_RECV_BEZEQINT_B     6s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_RECV_BEZEQINT_B     0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_FROMIP1     Received =~ /from\s+((?:1?\d\d?|2[0-4]\d|25[0-4])\.){3}(?:1?\d\d?|2[0-4]\d|25[0-4])\s+by\s+((?:1?\d\d?|2[0-4]\d|25[0-4])\.){3}(?:1?\d\d?|2[0-4]\d|25[0-4])/i
describe  SARE_RECV_IP_FROMIP1     Received line is IP address from IP address
score     SARE_RECV_IP_FROMIP1     1.666
#hist     SARE_RECV_IP_FROMIP1     From Regis Wilson, Wed, 24 Mar 2004, SUSP_IP_RECEIVED
#ham      SARE_RECV_IP_FROMIP1     ham: South Valley Bank
#counts   SARE_RECV_IP_FROMIP1     2940s/7h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_IP_FROMIP1     1547s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_RECV_IP_FROMIP1     1784s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_RECV_IP_FROMIP1     37s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#max      SARE_RECV_IP_FROMIP1     639s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_RECV_IP_FROMIP1     125s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_RECV_IP_FROMIP1     661s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_RECV_IP_FROMIP1     1s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_FROMIP3     ALL =~ /Received: from \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} by [a-z0-9.]{4,24}\.[a-z0-9.]{4,36}\.(?:com|net|org|biz); [SMTWF].{2}, \d{1,2} [JFMASOND].{2,5} \d{4} \d{2}:\d{2}:\d{2} [-+]\d{4}/i
describe  SARE_RECV_IP_FROMIP3     Received line is IP address from IP address
score     SARE_RECV_IP_FROMIP3     1.666
#match    SARE_RECV_IP_FROMIP3     Received: from 2.19.230.24 by web9DKKRb8QDIGIT.mail.yahoo.com; Sun, 28 Mar 2004 22:08:01 -0500
#ham      SARE_RECV_IP_FROMIP3     Messages from a cell phone
#hist     SARE_RECV_IP_FROMIP3     From Fred <tech2@i-is.com>, Fri, 2 Apr 2004, RE_hrip_IPfromIPc
#counts   SARE_RECV_IP_FROMIP3     587s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_IP_FROMIP3     111s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_RECV_IP_FROMIP3     155s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
#counts   SARE_RECV_IP_FROMIP3     15s/3h of 47809 corpus (43224s/4585h MY) 07/27/05
#max      SARE_RECV_IP_FROMIP3     46s/3h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_RECV_IP_FROMIP3     4s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_RECV_IP_FROMIP3     42s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_RECV_IP_FROMIP3     0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_061050      Received =~ /\[61\.5[01]\.\d{1,3}\.\d{1,3}\]/
describe  SARE_RECV_IP_061050      Spam passed through possible spammer relay
score     SARE_RECV_IP_061050      1.666
#ham      SARE_RECV_IP_061050      confirmed (2) 
#counts   SARE_RECV_IP_061050      757s/1h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_IP_061050      7s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_RECV_IP_061050      14s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_RECV_IP_061050      4s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_RECV_IP_061050      4s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_RECV_IP_061050      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_061072      Received =~ /\[61\.7[2-7]\.\d{1,3}\.\d{1,3}\]/
describe  SARE_RECV_IP_061072      Passed through possible spammer relay or source
score     SARE_RECV_IP_061072      1.666
#note     SARE_RECV_IP_061072      Korea Telecom
#hist     SARE_RECV_IP_061072      Created by Bob Menschel Nov 02 2004
#ham      SARE_RECV_IP_061072      verified (1)
#counts   SARE_RECV_IP_061072      2043s/5h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_IP_061072      38s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_RECV_IP_061072      48s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#counts   SARE_RECV_IP_061072      21s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#counts   SARE_RECV_IP_061072      2s/0h of 5653 corpus (1019s/4634h ft) 06/04/05

header    SARE_RECV_IP_061187      Received =~ /\[61\.187\.\d{1,3}\.\d{1,3}\]/
describe  SARE_RECV_IP_061187      Passed through possible spammer relay or source
score     SARE_RECV_IP_061187      0.639
#hist     SARE_RECV_IP_061187      Created by Bob Menschel Aug 09 2004
#counts   SARE_RECV_IP_061187      14s/1h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_RECV_IP_061187      36s/1h of 114241 corpus (81067s/33174h RM) 01/15/05
#counts   SARE_RECV_IP_061187      4s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_RECV_IP_061187      4s/0h of 38751 corpus (15270s/23481h JH-SA3.0rc1) 08/30/04
#counts   SARE_RECV_IP_061187      12s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#max      SARE_RECV_IP_061187      20s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_RECV_IP_061187      0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_RECV_IP_061187      2s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_RECV_IP_061187      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_061190      Received =~ /\[61\.190\.\d{1,3}\.\d{1,3}\]/
describe  SARE_RECV_IP_061190      Spam passed through possible spammer relay
score     SARE_RECV_IP_061190      1.111
#stype    SARE_RECV_IP_061190      spamp
#hist     SARE_RECV_IP_061190      Created by Bob Menschel Apr 04 2004
#counts   SARE_RECV_IP_061190      42s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_IP_061190      2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_RECV_IP_061190      3s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_RECV_IP_061190      5s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
#counts   SARE_RECV_IP_061190      2s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_RECV_IP_061190      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_061228      Received =~ /\[61\.(?:22[89]|23[01])\.\d{1,3}\.\d{1,3}\]/
describe  SARE_RECV_IP_061228      Spam passed through possible spammer relay
score     SARE_RECV_IP_061228      1.633
#ham      SARE_RECV_IP_061228      verified (1)
#counts   SARE_RECV_IP_061228      757s/3h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_IP_061228      6s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_RECV_IP_061228      9s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_RECV_IP_061228      4s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#max      SARE_RECV_IP_061228      6s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_RECV_IP_061228      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_062023      Received =~ /\[62\.23\.133\.(?:19[2-9]|2\d{2})\]/
describe  SARE_RECV_IP_062023      Passed through possible spammer relay or source
score     SARE_RECV_IP_062023      1.111
#stype    SARE_RECV_IP_062023      spamp
#hist     SARE_RECV_IP_062023      Created by Bob Menschel Feb 10 2005 from Spam-L info
#note     SARE_RECV_IP_062023      E-Mail-Vision
#counts   SARE_RECV_IP_062023      9s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_RECV_IP_062023      22s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
#counts   SARE_RECV_IP_062023      0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
#counts   SARE_RECV_IP_062023      0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
#counts   SARE_RECV_IP_062023      0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_062023      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_065205157   received =~ /\[65\.205\.157\.(?:19[2-9]|2[01]\d|22[0-3])\]/
describe  SARE_RECV_IP_065205157   Spam passed through possible spammer relay
score     SARE_RECV_IP_065205157   1.111
#stype    SARE_RECV_IP_065205157   spamp
#hist     SARE_RECV_IP_065205157   Created by Bob Menschel Jan 29 2005 from info supplied via Spam-L
#counts   SARE_RECV_IP_065205157   0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05
#max      SARE_RECV_IP_065205157   7s/0h of 238550 corpus (112525s/126025h RM) 02/28/05
#counts   SARE_RECV_IP_065205157   0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_RECV_IP_065205157   67s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_RECV_IP_065205157   0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_065205157   0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_064034      Received =~ /\[64\.34\.(?:\d{1,2}|1(?:[01]|2[0-7]))\.\d{1,3}\]/
describe  SARE_RECV_IP_064034      Spam passed through possible spammer relay
score     SARE_RECV_IP_064034      0.639  
#stype    SARE_RECV_IP_064034      spamp 
#hist     SARE_RECV_IP_064034      Created by Bob Menschel Aug 07 2005
#counts   SARE_RECV_IP_064034      144s/9h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_IP_064034      2s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
#counts   SARE_RECV_IP_064034      4s/0h of 7500 corpus (1767s/5733h ft) 09/18/05

header    SARE_RECV_IP_066017      Received =~ /\[66\.17\.(?:12[89]|1[3-9]\d|2\d\d)\.\d{1,3}\]/
describe  SARE_RECV_IP_066017      Passed through possible spammer relay or source
score     SARE_RECV_IP_066017      0.689
#ham      SARE_RECV_IP_066017      confirmed (8)
#note     SARE_RECV_IP_066017      Yipes Communications Inc
#hist     SARE_RECV_IP_066017      Created by Bob Menschel Nov 20 2004
#counts   SARE_RECV_IP_066017      88s/12h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_IP_066017      1s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_RECV_IP_066017      2s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_RECV_IP_066017      224s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#max      SARE_RECV_IP_066017      335s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_RECV_IP_066017      0s/8h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_RECV_IP_066017      149s/8h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_RECV_IP_066017      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_066165224   Received =~ /\[66\.165\.2(?:2[4-9]|3\d)\.\d{1,3}\]/
describe  SARE_RECV_IP_066165224   Spam passed through possible spammer relay
score     SARE_RECV_IP_066165224   0.675  
#ham      SARE_RECV_IP_066165224   confirmed: 3
#hist     SARE_RECV_IP_066165224   Created by Bob Menschel May 14 2005
#note     SARE_RECV_IP_066165224   Cyber World Internet Services
#counts   SARE_RECV_IP_066165224   7s/3h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_RECV_IP_066165224   34s/0h of 272483 corpus (108035s/164448h RM) 05/15/05
#counts   SARE_RECV_IP_066165224   1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_066165224   0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
#counts   SARE_RECV_IP_066165224   78s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#max      SARE_RECV_IP_066165224   124s/0h of 45478 corpus (41529s/3949h MY) 05/16/05

header    SARE_RECV_IP_066248154   Received =~ /\[66\.248\.154\.\d{1,3}\]/
describe  SARE_RECV_IP_066248154   Spam passed through possible spammer relay
score     SARE_RECV_IP_066248154   1.111
#stype    SARE_RECV_IP_066248154   spamp 
#hist     SARE_RECV_IP_066248154   Created by Bob Menschel May 14 2005
#note     SARE_RECV_IP_066248154   Advanced Dedicated Database Servers LLC
#counts   SARE_RECV_IP_066248154   0s/0h of 268479 corpus (127479s/141000h RM) 06/17/05
#max      SARE_RECV_IP_066248154   8s/0h of 274235 corpus (109066s/165169h RM) 05/15/05
#counts   SARE_RECV_IP_066248154   0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_066248154   17s/0h of 47809 corpus (43224s/4585h MY) 07/27/05

header    SARE_RECV_IP_069050210   Received =~ /\[69\.50\.210\.\d{1,3}\]/
describe  SARE_RECV_IP_069050210   Spam passed through possible spammer relay
score     SARE_RECV_IP_069050210   0.691
#ham      SARE_RECV_IP_069050210   confirmed (2) 
#hist     SARE_RECV_IP_069050210   Created by Fred Tarasevicius May 2005
#counts   SARE_RECV_IP_069050210   49s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_IP_069050210   12s/0h of 6924 corpus (1403s/5521h ft) 07/27/05
#counts   SARE_RECV_IP_069050210   12s/0h of 47809 corpus (43224s/4585h MY) 07/27/05

header    SARE_RECV_IP_069060096   Received =~ /\[69\.60\.(?:9[6-9]|1(?:[01]\d|2[0-7]))\.\d{1,3}\]/
describe  SARE_RECV_IP_069060096   Spam passed through possible spammer relay
score     SARE_RECV_IP_069060096   1.666
#ham      SARE_RECV_IP_069060096   verified (1) 
#hist     SARE_RECV_IP_069060096   Created by Bob Menschel May 14 2005
#counts   SARE_RECV_IP_069060096   6813s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_IP_069060096   0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_069060096   2s/0h of 2500 corpus (531s/1969h ft) 05/17/05
#counts   SARE_RECV_IP_069060096   398s/0h of 47809 corpus (43224s/4585h MY) 07/27/05

header    SARE_RECV_IP_082080      Received =~ /\[82\.80\.(?:12[89]|1[3-8]\d|191)\.\d{1,3}\]/
describe  SARE_RECV_IP_082080      Spam passed through possible spammer relay
score     SARE_RECV_IP_082080      1.111
#stype    SARE_RECV_IP_082080      spamp
#counts   SARE_RECV_IP_082080      26s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_IP_082080      2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_RECV_IP_082080      3s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_RECV_IP_082080      2s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_RECV_IP_082080      0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_082080      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_082102      Received =~ /\[82\.102\.(?:3[2-9]|[45]\d|6[0-3]).\d{1,3}\]/
describe  SARE_RECV_IP_082102      Spam passed through possible spammer relay
score     SARE_RECV_IP_082102      0.555
#stype    SARE_RECV_IP_082102      spamp
#hist     SARE_RECV_IP_082102      Created by Bob Menschel May 20 2004
#counts   SARE_RECV_IP_082102      9s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_IP_082102      1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_RECV_IP_082102      1s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#max      SARE_RECV_IP_082102      1s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_RECV_IP_082102      1s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_RECV_IP_082102      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_082154      Received =~ /\[82\.15[45]\.\d{1,3}\.\d{1,3}\]/
describe  SARE_RECV_IP_082154      Passed through possible spammer relay or source
score     SARE_RECV_IP_082154      1.144
#ham      SARE_RECV_IP_082154      confirmed (1) 
#hist     SARE_RECV_IP_082154      Created by Bob Menschel Aug 10 2004
#counts   SARE_RECV_IP_082154      572s/5h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_IP_082154      13s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_RECV_IP_082154      43s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#counts   SARE_RECV_IP_082154      6s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#counts   SARE_RECV_IP_082154      1s/0h of 7500 corpus (1767s/5733h ft) 09/18/05

header    SARE_RECV_IP_083028      Received =~ /\[83\.28\.\d{1,3}\.\d{1,3}\]/
describe  SARE_RECV_IP_083028      Passed through possible spammer relay or source
score     SARE_RECV_IP_083028      0.874
#ham      SARE_RECV_IP_083028      verified (1)
#hist     SARE_RECV_IP_083028      Created by Bob Menschel Sep 10 2004
#note     SARE_RECV_IP_083028      Large block of IP addresses in Poland
#counts   SARE_RECV_IP_083028      171s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_IP_083028      0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_RECV_IP_083028      1s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#max      SARE_RECV_IP_083028      4s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
#counts   SARE_RECV_IP_083028      0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_RECV_IP_083028      3s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_RECV_IP_083028      1s/0h of 6924 corpus (1403s/5521h ft) 07/27/05

header    SARE_RECV_IP_140117      Received =~ /\[140\.1(?:1[789]|2\d|3[0-8])\.\d{1,3}\.\d{1,3}\]/
describe  SARE_RECV_IP_140117      Passed through possible spammer relay or source
score     SARE_RECV_IP_140117      1.189
#ham      SARE_RECV_IP_140117      confirmed (1) 
#hist     SARE_RECV_IP_140117      Created by Bob Menschel Oct 03 2004
#note     SARE_RECV_IP_140117      Ministry of Education Computing Center, Taipei, Taiwan
#counts   SARE_RECV_IP_140117      87s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_IP_140117      17s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_RECV_IP_140117      6s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
#counts   SARE_RECV_IP_140117      3s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
#max      SARE_RECV_IP_140117      9s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_RECV_IP_140117      1s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_163125      Received =~ /\[163\.125\.\d{1,3}\.\d{1,3}\]/
describe  SARE_RECV_IP_163125      Spam passed through possible spammer relay
score     SARE_RECV_IP_163125      1.111  
#stype    SARE_RECV_IP_163125      spamp 
#hist     SARE_RECV_IP_163125      Created by Bob Menschel May 14 2005
#note     SARE_RECV_IP_163125      Success Marketing Associates, LLC
#counts   SARE_RECV_IP_163125      0s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_IP_163125      0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_163125      1s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#max      SARE_RECV_IP_163125      9s/0h of 45478 corpus (41529s/3949h MY) 05/16/05

header    SARE_RECV_IP_192116      Received =~ /\[192\.116\.13[3-7]\.\d{1,3}\]/
describe  SARE_RECV_IP_192116      Passed through possible spammer relay or source
score     SARE_RECV_IP_192116      0.861
#note     SARE_RECV_IP_192116      GILAT-SATCOM
#hist     SARE_RECV_IP_192116      Created by Bob Menschel Nov 16 2004
#counts   SARE_RECV_IP_192116      2s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
#max      SARE_RECV_IP_192116      52s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
#counts   SARE_RECV_IP_192116      1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_RECV_IP_192116      1s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_RECV_IP_192116      1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_192116      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_195229      Received =~ /\[195\.229\.2[45]\d\.\d{1,3}\]/
describe  SARE_RECV_IP_195229      Passed through possible spammer relay or source
score     SARE_RECV_IP_195229      0.805
#hist     SARE_RECV_IP_195229      Created by Bob Menschel Aug 31 2004
#counts   SARE_RECV_IP_195229      16s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_RECV_IP_195229      44s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
#counts   SARE_RECV_IP_195229      0s/0h of 38748 corpus (15267s/23481h JH-SA3.0rc1) 09/04/04
#counts   SARE_RECV_IP_195229      0s/0h of 19447 corpus (16862s/2585h MY) 09/04/04
#counts   SARE_RECV_IP_195229      1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_195229      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_200150      Received =~ /\[200\.150\.\d{1,3}\.\d{1,3}\]/
describe  SARE_RECV_IP_200150      Spam passed through possible spammer relay
score     SARE_RECV_IP_200150      1.031
#ham      SARE_RECV_IP_200150      confirmed (2) 
#hist     SARE_RECV_IP_200150      Created by Bob Menschel Aug 29 2004
#counts   SARE_RECV_IP_200150      142s/1h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_IP_200150      19s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_RECV_IP_200150      7s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#counts   SARE_RECV_IP_200150      0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_RECV_IP_200150      3s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_200150      1s/0h of 7500 corpus (1767s/5733h ft) 09/18/05

header    SARE_RECV_IP_203210128   Received =~ /\[203.210\.(?:1(?:2[89]|[3-9]\d)|2\d\d)\.\d{1,3}\]/
describe  SARE_RECV_IP_203210128   Spam passed through possible spammer relay
score     SARE_RECV_IP_203210128   0.516
#ham      SARE_RECV_IP_203210128   verified (3)
#hist     SARE_RECV_IP_203210128   Created by Bob Menschel May 14 2005
#note     SARE_RECV_IP_203210128   Vietnam Posts and Telecommunications (VNPT)
#counts   SARE_RECV_IP_203210128   56s/13h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_IP_203210128   0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
#max      SARE_RECV_IP_203210128   2s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_203210128   69s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#max      SARE_RECV_IP_203210128   79s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_RECV_IP_203210128   2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_RECV_IP_203210128   3s/0h of 7500 corpus (1767s/5733h ft) 09/18/05

header    SARE_RECV_IP_203177      Received =~ /\[203\.177\.1(?:2[89]|[3-8]\d|9[01])\.\d{1,3}\]/
describe  SARE_RECV_IP_203177      Passed through possible spammer relay or source
score     SARE_RECV_IP_203177      0.622
#hist     SARE_RECV_IP_203177      Created by Bob Menschel Aug 20 2004
#ham      SARE_RECV_IP_203177      verified (1)
#counts   SARE_RECV_IP_203177      8s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_RECV_IP_203177      42s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
#counts   SARE_RECV_IP_203177      1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_RECV_IP_203177      1s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#max      SARE_RECV_IP_203177      5s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_RECV_IP_203177      2s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_RECV_IP_203177      4s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_RECV_IP_203177      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_206131      Received =~ /\[206\.131\.2(?:2[4-9]|[345]\d)\.\d{1,3}\]/
describe  SARE_RECV_IP_206131      Spam passed through possible spammer relay
score     SARE_RECV_IP_206131      1.666
#ham      SARE_RECV_IP_206131      confirmed (1) 
#hist     SARE_RECV_IP_206131      Created by Bob Menschel Feb 5 2005 from Spam-L info
#note     SARE_RECV_IP_206131      Minerva Network Systems, Inc.
#counts   SARE_RECV_IP_206131      2849s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_IP_206131      0s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05
#counts   SARE_RECV_IP_206131      34s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#counts   SARE_RECV_IP_206131      6s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#counts   SARE_RECV_IP_206131      1s/0h of 7500 corpus (1767s/5733h ft) 09/18/05

header    SARE_RECV_IP_206248152   Received =~ /\[206\.248\.153\.\d{1,3}\]/
describe  SARE_RECV_IP_206248152   Spam passed through possible spammer relay
score     SARE_RECV_IP_206248152   0.617
#ham      SARE_RECV_IP_206248152   confirmed (1) 
#hist     SARE_RECV_IP_206248152   Created by Bob Menschel May 14 2005
#note     SARE_RECV_IP_206248152   3zCanada-GTA1
#counts   SARE_RECV_IP_206248152   1s/1h of 378679 corpus (166455s/212224h RM) 07/24/05
#max      SARE_RECV_IP_206248152   19s/0h of 298277 corpus (136400s/161877h RM) 06/06/05
#counts   SARE_RECV_IP_206248152   2s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
#counts   SARE_RECV_IP_206248152   0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05

header    SARE_RECV_IP_209051      Received =~ /\[209\.51\.(?:19[2-9]|2\d\d)\.\d{1,3}\]/
describe  SARE_RECV_IP_209051      Spam passed through possible spammer relay
score     SARE_RECV_IP_209051      1.111  
#stype    SARE_RECV_IP_209051      spamp 
#hist     SARE_RECV_IP_209051      Created by Bob Menschel Aug 07 2005
#note     SARE_RECV_IP_209051      S-INFOTECH, Inc.
#counts   SARE_RECV_IP_209051      56s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_IP_209051      0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
#counts   SARE_RECV_IP_209051      1s/0h of 7500 corpus (1767s/5733h ft) 09/18/05

header    SARE_RECV_IP_209190      Received =~ /\[209\.190\.(?:8|9|1[0-5])\.\d{1,3}\]/
describe  SARE_RECV_IP_209190      Spam passed through possible spammer relay
score     SARE_RECV_IP_209190      1.111  
#stype    SARE_RECV_IP_209190      spamp 
#hist     SARE_RECV_IP_209190      Created by Bob Menschel Aug 07 2005
#note     SARE_RECV_IP_209190      S-INFOTECH, Inc.
#counts   SARE_RECV_IP_209190      26s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_IP_209190      0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
#counts   SARE_RECV_IP_209190      0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05

header    SARE_RECV_IP_216118120   Received =~ /\[216\.118\.120\.(?:6[4-9]|[78]\d|9[0-1])\]/
describe  SARE_RECV_IP_216118120   Spam passed through possible spammer relay
score     SARE_RECV_IP_216118120   2.222  
#hist     SARE_RECV_IP_216118120   Created by Bob Menschel Aug 07 2005
#counts   SARE_RECV_IP_216118120   1224s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_IP_216118120   0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
#counts   SARE_RECV_IP_216118120   0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05

header    SARE_RECV_IP_211216      Received =~ /\[211\.2(?:1[6-9]|2[0-5]\d)\.\d{1,3}\.\d{1,3}\]/
describe  SARE_RECV_IP_211216      Passed through possible spammer relay or source
score     SARE_RECV_IP_211216      1.666 
#ham      SARE_RECV_IP_211216      confirmed (1) - YahooGroups moderated group, posting approved by moderator
#hist     SARE_RECV_IP_211216      Created by Bob Menschel Aug 20 2004
#note     SARE_RECV_IP_211216      Korea Telecom
#counts   SARE_RECV_IP_211216      1308s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_IP_211216      27s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_RECV_IP_211216      40s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#counts   SARE_RECV_IP_211216      11s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
#max      SARE_RECV_IP_211216      14s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_211216      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_212068      Received =~ /\[212\.68\.2[45]\d\.\d{1,3}\]/
describe  SARE_RECV_IP_212068      Spam passed through possible spammer relay
score     SARE_RECV_IP_212068      1.111
#stype    SARE_RECV_IP_212068      spamp
#hist     SARE_RECV_IP_212068      Created by Bob Menschel Apr 09 2004
#counts   SARE_RECV_IP_212068      18s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_IP_212068      1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_RECV_IP_212068      1s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#max      SARE_RECV_IP_212068      1s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_RECV_IP_212068      0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_RECV_IP_212068      1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_212068      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_216022      Received =~ /\[216\.22\.\d{1,3}\.\d{1,3}\]/
describe  SARE_RECV_IP_216022      Spam passed through possible spammer relay
score     SARE_RECV_IP_216022      1.666
#hist     SARE_RECV_IP_216022      Created by Bob Menschel May 14 2005
#counts   SARE_RECV_IP_216022      1146s/5h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_IP_216022      0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_216022      3s/0h of 2500 corpus (531s/1969h ft) 05/17/05
#counts   SARE_RECV_IP_216022      100s/0h of 47809 corpus (43224s/4585h MY) 07/27/05

header    SARE_RECV_IP_218070      Received =~ /\[218\.70\.\d{1,3}\.\d{1,3}\]/
describe  SARE_RECV_IP_218070      Spam passed through possible spammer relay
score     SARE_RECV_IP_218070      1.111
#stype    SARE_RECV_IP_218070      spamp
#counts   SARE_RECV_IP_218070      4s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_RECV_IP_218070      21s/0h of 112471 corpus (92494s/19977h) 03/14/04
#counts   SARE_RECV_IP_218070      1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#max      SARE_RECV_IP_218070      2s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
#counts   SARE_RECV_IP_218070      1s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#max      SARE_RECV_IP_218070      1s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_RECV_IP_218070      0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_218070      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_218072      Received =~ /\[218\.72\.\d{1,3}\.\d{1,3}\]/
describe  SARE_RECV_IP_218072      Spam passed through possible spammer relay
score     SARE_RECV_IP_218072      0.794
#hist     SARE_RECV_IP_218072      Created by Bob Menschel May 23 2004
#counts   SARE_RECV_IP_218072      55s/3h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_RECV_IP_218072      69s/2h of 120459 corpus (71363s/49096h RM) 02/12/05
#counts   SARE_RECV_IP_218072      16s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_RECV_IP_218072      22s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
#counts   SARE_RECV_IP_218072      91s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#max      SARE_RECV_IP_218072      133s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_RECV_IP_218072      10s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#max      SARE_RECV_IP_218072      13s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_RECV_IP_218072      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_218078      Received =~ /\[218\.(?:7[89]|8[0123])\.\d{1,3}\.\d{1,3}\]/
describe  SARE_RECV_IP_218078      Passed through possible spammer relay or source
score     SARE_RECV_IP_218078      1.666
#hist     SARE_RECV_IP_218078      Created by Bob Menschel Oct 07 2004
#note     SARE_RECV_IP_218078      ChinaNet, Shanghai Province 
#counts   SARE_RECV_IP_218078      367s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_RECV_IP_218078      581s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
#counts   SARE_RECV_IP_218078      38s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_RECV_IP_218078      677s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
#counts   SARE_RECV_IP_218078      71s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
#max      SARE_RECV_IP_218078      74s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_218078      8s/0h of 7500 corpus (1767s/5733h ft) 09/18/05

header    SARE_RECV_IP_218088      Received =~ /\[218\.8[89]\.\d{1,3}\.\d{1,3}\]/
describe  SARE_RECV_IP_218088      Passed through possible spammer relay or source
score     SARE_RECV_IP_218088      1.378
#ham      SARE_RECV_IP_218088      confirmed: 1
#note     SARE_RECV_IP_218088      CHINANET sichuan province network 
#hist     SARE_RECV_IP_218088      Created by Bob Menschel Nov 04 2004
#counts   SARE_RECV_IP_218088      71s/1h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_RECV_IP_218088      111s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
#counts   SARE_RECV_IP_218088      11s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_RECV_IP_218088      13s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05
#counts   SARE_RECV_IP_218088      19s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
#counts   SARE_RECV_IP_218088      2s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
#max      SARE_RECV_IP_218088      5s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_RECV_IP_218088      1s/0h of 7500 corpus (1767s/5733h ft) 09/18/05

header    SARE_RECV_IP_218216      Received =~ /\[218\.(?:21[6-9]|22\d|23[01])\.\d{1,3}\.\d{1,3}\]/
describe  SARE_RECV_IP_218216      Passed through possible spammer relay or source
score     SARE_RECV_IP_218216      0.740
#ham      SARE_RECV_IP_218216      confirmed (2) 
#hist     SARE_RECV_IP_218216      Created by Bob Menschel Oct 23 2004
#counts   SARE_RECV_IP_218216      260s/8h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_IP_218216      21s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_RECV_IP_218216      12s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_RECV_IP_218216      6s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
#max      SARE_RECV_IP_218216      11s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_218216      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_219128      Received =~ /\[219\.1(?:2[89]|3[0-7])\.\d{1,3}\.\d{1,3}\]/
describe  SARE_RECV_IP_219128      Passed through possible spammer relay or source
score     SARE_RECV_IP_219128      1.666 
#hist     SARE_RECV_IP_219128      Created by Bob Menschel Aug 23 2004
#counts   SARE_RECV_IP_219128      1752s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_IP_219128      100s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_RECV_IP_219128      225s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#counts   SARE_RECV_IP_219128      17s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
#max      SARE_RECV_IP_219128      37s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_RECV_IP_219128      4s/1h of 7500 corpus (1767s/5733h ft) 09/18/05

header    SARE_RECV_IP_220116      Received =~ /\[220\.(?:11[6-9]|12[0-7])\.\d{1,3}\.\d{1,3}\]/
describe  SARE_RECV_IP_220116      Passed through possible spammer relay or source
score     SARE_RECV_IP_220116      1.666
#ham      SARE_RECV_IP_220116      confirmed (1)
#hist     SARE_RECV_IP_220116      Created by Bob Menschel Jul 17 2004
#note     SARE_RECV_IP_220116      Korea Telecom
#counts   SARE_RECV_IP_220116      1177s/1h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_IP_220116      108s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_RECV_IP_220116      161s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#counts   SARE_RECV_IP_220116      58s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#counts   SARE_RECV_IP_220116      2s/0h of 7500 corpus (1767s/5733h ft) 09/18/05

header    SARE_RECV_IP_221124      Received =~ /\[221\.12[4-7]\.\d{1,3}\.\d{1,3}\]/
describe  SARE_RECV_IP_221124      Spam passed through possible spammer relay
score     SARE_RECV_IP_221124      1.666
#hist     SARE_RECV_IP_221124      Created by Bob Menschel May 30 2004
#counts   SARE_RECV_IP_221124      633s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_IP_221124      66s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_RECV_IP_221124      74s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05
#counts   SARE_RECV_IP_221124      16s/1h of 47283 corpus (43206s/4077h MY) 06/05/05
#counts   SARE_RECV_IP_221124      12s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
#max      SARE_RECV_IP_221124      24s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_RECV_IP_221124      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_222000      Received =~ /\[222\.(?:\d|1[0-5])\.\d{1,3}\.\d{1,3}\]/
describe  SARE_RECV_IP_222000      Passed through possible spammer relay or source
score     SARE_RECV_IP_222000      0.553
#ham      SARE_RECV_IP_222000      confirmed (1)
#hist     SARE_RECV_IP_222000      Created by Bob Menschel Aug 09 2004
#counts   SARE_RECV_IP_222000      171s/19h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_IP_222000      20s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_RECV_IP_222000      6s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#counts   SARE_RECV_IP_222000      2s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_RECV_IP_222000      7s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_222000      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_222064      Received =~ /\[222\.(?:6[4-9]|7[0-3])\.\d{1,3}\.\d{1,3}\]/
describe  SARE_RECV_IP_222064      Spam passed through possible spammer relay
score     SARE_RECV_IP_222064      1.666
#ham      SARE_RECV_IP_222064      verified (1) 
#hist     SARE_RECV_IP_222064      Created by Bob Menschel Apr 18 2004
#counts   SARE_RECV_IP_222064      728s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_RECV_IP_222064      831s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
#counts   SARE_RECV_IP_222064      95s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_RECV_IP_222064      97s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05
#counts   SARE_RECV_IP_222064      685s/1h of 47809 corpus (43224s/4585h MY) 07/27/05
#max      SARE_RECV_IP_222064      849s/1h of 47283 corpus (43206s/4077h MY) 06/05/05
#counts   SARE_RECV_IP_222064      27s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
#max      SARE_RECV_IP_222064      65s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_RECV_IP_222064      5s/0h of 6924 corpus (1403s/5521h ft) 07/27/05

#####################################################################################
#         SARE Reply-To Rules 
########  ######################   ##################################################

#####################################################################################
#         SARE To/Cc Destination rules
########  ######################   ##################################################

header    SARE_TO_EMPTY            To =~ /<>/
describe  SARE_TO_EMPTY            To address is set to empty 
score     SARE_TO_EMPTY            0.330 0.550 0.000 0.550 # prev target: 0.660 when added to TO_NO_USER
score     SARE_TO_EMPTY            0.000 0.222 0.000 0.222 # curr target: 0.333 when added to TO_NO_USER
#hist     SARE_TO_EMPTY            Originally submitted by Bob Menschel
#overlap  SARE_TO_EMPTY            Distrib: TO_NO_USER: score TO_NO_USER 0.332 0.116 1.615 0.128
#counts   SARE_TO_EMPTY            5s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_TO_EMPTY            26s/0h of 114241 corpus (81067s/33174h RM) 01/15/05
#counts   SARE_TO_EMPTY            12s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_TO_EMPTY            0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_TO_EMPTY            0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
#max      SARE_TO_EMPTY            0s/1h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_TO_EMPTY            0s/2h of 5653 corpus (1019s/4634h ft) 06/04/05

#####################################################################################
#         SARE X-Mailer Rules
########  ######################   ##################################################

header    SARE_XMAIL_GDI           X-Mailer=~/GDI Mailer/
describe  SARE_XMAIL_GDI           Ratware mailer
score     SARE_XMAIL_GDI           0.100
#hist     SARE_XMAIL_GDI           Bob Menschel, Feb 25 2005
#counts   SARE_XMAIL_GDI           0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05
#max      SARE_XMAIL_GDI           1s/0h of 238550 corpus (112525s/126025h RM) 02/28/05
#counts   SARE_XMAIL_GDI           0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
#counts   SARE_XMAIL_GDI           0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_XMAIL_GDI           1s/0h of 6924 corpus (1403s/5521h ft) 07/27/05

header    SARE_XMAIL_GOMAIL        X-Mailer =~ /GoMail/i
describe  SARE_XMAIL_GOMAIL        Apparently uses spam/bulk mailer
score     SARE_XMAIL_GOMAIL        1.666
#hist     SARE_XMAIL_GOMAIL        Bob Menschel, Mar 4 2005, from suggestion by Alex Broens
#counts   SARE_XMAIL_GOMAIL        1319s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_XMAIL_GOMAIL        0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_XMAIL_GOMAIL        1s/0h of 10995 corpus (6568s/4427h CT) 03/10/05
#counts   SARE_XMAIL_GOMAIL        15s/0h of 54806 corpus (17633s/37173h JH-3.01) 03/14/05
#counts   SARE_XMAIL_GOMAIL        0s/0h of 31513 corpus (27912s/3601h MY) 03/09/05
#counts   SARE_XMAIL_GOMAIL        0s/2h of 6924 corpus (1403s/5521h ft) 07/27/05

header    SARE_XMAIL_PSSMAILER     X-Mailer =~ /PSS Mailer/
describe  SARE_XMAIL_PSSMAILER     Apparently uses bulk mailer
score     SARE_XMAIL_PSSMAILER     1.111  
#stype    SARE_XMAIL_PSSMAILER     spamp
#hist     SARE_XMAIL_PSSMAILER     RM_hxm_PSSMailer
#counts   SARE_XMAIL_PSSMAILER     8s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_XMAIL_PSSMAILER     12s/0h of 273595 corpus (108821s/164774h RM) 05/13/05
#counts   SARE_XMAIL_PSSMAILER     0s/0h of 18651 corpus (16120s/2531h MY) 08/29/04
#counts   SARE_XMAIL_PSSMAILER     0s/0h of 38751 corpus (15270s/23481h JH-SA3.0rc1) 08/30/04
#counts   SARE_XMAIL_PSSMAILER     0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_XMAIL_PSSMAILER     0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_XMAIL_RLSP          X-Mailer =~ /RLSP/
describe  SARE_XMAIL_RLSP          Uses Bulk Mailer used by spammers
score     SARE_XMAIL_RLSP          1.666
#ham      SARE_XMAIL_RLSP          cartoon newsletter, personal emails (2) 
#hist     SARE_XMAIL_RLSP          Created by Bob Menschel Sep 27 2004
#counts   SARE_XMAIL_RLSP          1782s/4h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_XMAIL_RLSP          11s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_XMAIL_RLSP          0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_XMAIL_RLSP          5s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#counts   SARE_XMAIL_RLSP          6s/0h of 5653 corpus (1019s/4634h ft) 06/04/05

header    SARE_XMAIL_TOLMAIL       X-Mailer =~ /\bTOL Mailer\b/
describe  SARE_XMAIL_TOLMAIL       X-Mailer used by spammer
score     SARE_XMAIL_TOLMAIL       0.769
#ham      SARE_XMAIL_TOLMAIL       possible (1) 
#hist     SARE_XMAIL_TOLMAIL       Alex Broens, July 29 2005
#counts   SARE_XMAIL_TOLMAIL       41s/1h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_XMAIL_TOLMAIL       36s/0h of 325151 corpus (158002s/167149h RM) 07/31/05
#counts   SARE_XMAIL_TOLMAIL       0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05

#####################################################################################
#         SARE Miscellaneous and X-Header header rules 
########  ######################   ##################################################

header    SARE_HEAD_DATE14         Date =~ /^.{1,14}$/
score     SARE_HEAD_DATE14         1.666
#counts   SARE_HEAD_DATE14         313s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HEAD_DATE14         43s/0h of 54072 corpus (16898s/37174h JH-3.01) 02/18/05
#counts   SARE_HEAD_DATE14         0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
#counts   SARE_HEAD_DATE14         0s/1h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_DATE14         0s/1h of 5653 corpus (1019s/4634h ft) 06/04/05

header    SARE_HEAD_DATE_5L        Date =~ /[a-z]{5}\s*$/i
describe  SARE_HEAD_DATE_5L        Date header ends in 5+ letters
score     SARE_HEAD_DATE_5L        0.776
#ham      SARE_HEAD_DATE_5L        confirmed (5 
#hist     SARE_HEAD_DATE_5L        Tim Jackson, May 12 2005
#counts   SARE_HEAD_DATE_5L        395s/6h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HEAD_DATE_5L        0s/3h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_DATE_5L        0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
#counts   SARE_HEAD_DATE_5L        1s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05

header    SARE_HEAD_DATE_RNDDATE   Date =~ /RND/i
describe  SARE_HEAD_DATE_RNDDATE   Spam passed through iswest.net relay
score     SARE_HEAD_DATE_RNDDATE   1.666  
#stype    SARE_HEAD_DATE_RNDDATE   spamg
#counts   SARE_HEAD_DATE_RNDDATE   1s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
#max      SARE_HEAD_DATE_RNDDATE   9s/0h of 268479 corpus (127479s/141000h RM) 06/17/05
#counts   SARE_HEAD_DATE_RNDDATE   0s/0h of 54072 corpus (16898s/37174h JH-3.01) 02/18/05
#counts   SARE_HEAD_DATE_RNDDATE   0s/0h of 26184 corpus (22793s/3391h MY) 02/16/05
#counts   SARE_HEAD_DATE_RNDDATE   0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_DATE_RNDDATE   0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_MSMPR_RNDSTR   X-MSMail-Priority =~ /PRIORITY_STRING/i
describe  SARE_HEAD_MSMPR_RNDSTR   Spam passed through iswest.net relay
score     SARE_HEAD_MSMPR_RNDSTR   1.666  
#stype    SARE_HEAD_MSMPR_RNDSTR   spamg
#counts   SARE_HEAD_MSMPR_RNDSTR   8s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HEAD_MSMPR_RNDSTR   7s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_HEAD_MSMPR_RNDSTR   0s/0h of 26184 corpus (22793s/3391h MY) 02/16/05
#counts   SARE_HEAD_MSMPR_RNDSTR   0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_MSMPR_RNDSTR   0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_ORG_PREFIXW    Organization =~ /Prefix that with/i
describe  SARE_HEAD_ORG_PREFIXW    Spam sign in Organization header
score     SARE_HEAD_ORG_PREFIXW    0.617
#hist     SARE_HEAD_ORG_PREFIXW    Alex Broens, Feb 20 2005
#counts   SARE_HEAD_ORG_PREFIXW    0s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
#max      SARE_HEAD_ORG_PREFIXW    10s/0h of 238550 corpus (112525s/126025h RM) 02/28/05
#counts   SARE_HEAD_ORG_PREFIXW    0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
#counts   SARE_HEAD_ORG_PREFIXW    0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
#counts   SARE_HEAD_ORG_PREFIXW    1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_ORG_PREFIXW    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_XLIB_INDY1     X-Library=~ /Indy 10.00.14-B/
describe  SARE_HEAD_XLIB_INDY1     Uses S/W version which has only been seen in spam
score     SARE_HEAD_XLIB_INDY1     0.844
#hist     SARE_HEAD_XLIB_INDY1     Originally submitted by Bob Menschel, RM.hxl_ForgedIndy
#counts   SARE_HEAD_XLIB_INDY1     0s/0h of 196688 corpus (96191s/100497h RM) 02/21/05
#max      SARE_HEAD_XLIB_INDY1     30s/0h of 66979 corpus (41757s/25222h RM) 09/04/04
#counts   SARE_HEAD_XLIB_INDY1     2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_HEAD_XLIB_INDY1     9s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
#counts   SARE_HEAD_XLIB_INDY1     0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#max      SARE_HEAD_XLIB_INDY1     13s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_HEAD_XLIB_INDY1     0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_XLIB_INDY1     0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_XLIB_INDY2     X-Library=~ /Indy 8.0.25/
describe  SARE_HEAD_XLIB_INDY2     Uses S/W version which has only been seen in spam
score     SARE_HEAD_XLIB_INDY2     0.914
#ham      SARE_HEAD_XLIB_INDY2     verified (1)
#hist     SARE_HEAD_XLIB_INDY2     Created by Bob Menschel May 31 2004
#counts   SARE_HEAD_XLIB_INDY2     124s/1h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_HEAD_XLIB_INDY2     130s/1h of 327690 corpus (159737s/167953h RM) 07/27/05
#counts   SARE_HEAD_XLIB_INDY2     3s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_HEAD_XLIB_INDY2     0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#max      SARE_HEAD_XLIB_INDY2     1s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_HEAD_XLIB_INDY2     0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_HEAD_XLIB_INDY2     2s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_HEAD_XLIB_INDY2     2s/0h of 6924 corpus (1403s/5521h ft) 07/27/05

header    SARE_HEAD_XUNSENT        X-Unsent =~ /\b1\b/i
describe  SARE_HEAD_XUNSENT        Found spamsign header
score     SARE_HEAD_XUNSENT        1.666
#hist     SARE_HEAD_XUNSENT        Alex Broens, June 10 2005
#counts   SARE_HEAD_XUNSENT        15436s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HEAD_XUNSENT        57s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#counts   SARE_HEAD_XUNSENT        2s/0h of 6924 corpus (1403s/5521h ft) 07/27/05
#counts   SARE_HEAD_XUNSENT        98s/0h of 53950 corpus (16777s/37173h JH-3.01) 06/11/05
#counts   SARE_HEAD_XUNSENT        1s/0h of 47809 corpus (43224s/4585h MY) 07/27/05

header    SARE_HEAD_XWORD          ALL =~ /\n(?!(?:X-Scanned|X-Windows|X-Emacs|X-Note))X-[A-Z][a-z\d]+:\s+(?:[a-z]{2,20}\s){5,}/
describe  SARE_HEAD_XWORD          Spam tool
score     SARE_HEAD_XWORD          1.111
#ham      SARE_HEAD_XWORD          verified (1)
#hist     SARE_HEAD_XWORD          Loren Wilton, June 2005
#hist     SARE_HEAD_XWORD          Added X-Scanned exclusion Sep 24 2005
#counts   SARE_HEAD_XWORD          114s/6h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HEAD_XWORD          0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05

#####################################################################################
#         SARE Rules which examine multiple header types
########  ######################   ##################################################

header    SARE_HEAD_8BIT_DATE      Date =~ /[\x80-\xff]{3}/
describe  SARE_HEAD_8BIT_DATE      High-ascii characters found in strange header
score     SARE_HEAD_8BIT_DATE      1.666
#hist     SARE_HEAD_8BIT_DATE      From Bugzilla # 2243
#ham      SARE_HEAD_8BIT_DATE      verified (1) 
#counts   SARE_HEAD_8BIT_DATE      433s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HEAD_8BIT_DATE      4s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_HEAD_8BIT_DATE      0s/0h of 26190 corpus (22790s/3400h MY) 02/15/05
#counts   SARE_HEAD_8BIT_DATE      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
#counts   SARE_HEAD_8BIT_DATE      1s/0h of 10629 corpus (5847s/4782h CT) 09/18/05

header    SARE_MULT_VIA_CITIZNET   ALL =~ /\@(?:\w+\.)?citiz\.net\b/i
describe  SARE_MULT_VIA_CITIZNET   header references apparent spam source
score     SARE_MULT_VIA_CITIZNET   0.816
#ham      SARE_MULT_VIA_CITIZNET   confirmed (2)
#hist     SARE_MULT_VIA_CITIZNET   Created by Bob Menschel Aug 23 2004
#counts   SARE_MULT_VIA_CITIZNET   37s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_MULT_VIA_CITIZNET   0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#max      SARE_MULT_VIA_CITIZNET   8s/0h of 18651 corpus (16120s/2531h MY) 08/29/04
#counts   SARE_MULT_VIA_CITIZNET   10s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_MULT_VIA_CITIZNET   11s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_MULT_VIA_CITIZNET   0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_MULT_VIA_CITIZNET   2s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_MULT_VIA_CITIZNET   0s/0h of 2500 corpus (531s/1969h ft) 05/17/05


# EOF

# SARE Header Abuse Ruleset for SpamAssassin -- file 2
# Version:  01.03.16
# Created:  2004-04-25
# Modified: 2005-10-28
# Usage instructions and documentation in 70_sare_header0.cf 

# Full Revision History / Change Log in 70_sare_header.log
#@@# 01.03.16  Oct 28 2005
#@@#           Minor score updates based on additional mass-check
#@@#           Archived from file 2:     SARE_HEAD_HDR_XAUTREPL
#@@#           Archived from file 2:     SARE_HEAD_HDR_XESINSR
#@@#           Moved file 0 to file 2:   SARE_RECV_IP_063111025
#@@#           Moved file 0 to file 2:   SARE_RECV_RANDOM
#@@#           Moved file 1 to file 2:   SARE_FREE_WEBM_USACOPS
#@@#           Moved file 1 to file 2:   SARE_HEAD_HDR_XEMGBMS
#@@#           Moved file 1 to file 2:   SARE_HEAD_XCANIT1
#@@#           Moved file 1 to file 2:   SARE_HEAD_XCANIT2
#@@#           Moved file 1 to file 2:   SARE_MSGID_SPAM_DOMN0
#@@#           Moved file 1 to file 2:   SARE_MSGID_SUSP2
#@@#           Moved file 1 to file 2:   SARE_RECV_IP_081019
#@@#           Moved file 1 to file 2:   SARE_RECV_IP_211049
#@@#           Moved file 1 to file 2:   SARE_RECV_RND_NUMBER
#@@#           Moved file 2 to file 0:   SARE_HEAD_HDR_XE
#@@#           Moved file 2 to file 1:   SARE_FROM_AST
#@@#           Moved file 2 to file 1:   SARE_HEAD_HDR_XCNDINF
#@@#           Moved file 3 to file 2:   SARE_FREE_WEBM_Iamfi
#@@#           Moved file 3 to file 2:   SARE_MSGID_ALL_CAPHM
#@@#           Moved file 3 to file 2:   SARE_TOCC_MAILDOMN
#@@#           Moved file 3 to file 2:   SARE_XMAIL_BULK4

########  ######################   ##################################################
#    Component rules used within meta rules 
########  ######################   ##################################################

header    __SARE_HEAD_8BIT_SUBJ    Subject =~ /[\x80-\xff]{3,}/

#####################################################################################
#         SARE Header-Exists rules
########  ######################   ##################################################

header    SARE_HEAD_HDR_CONVWLS    exists:Conversion-With-Loss
describe  SARE_HEAD_HDR_CONVWLS    Message headers used which identify spam
score     SARE_HEAD_HDR_CONVWLS    1.111
#stype    SARE_HEAD_HDR_CONVWLS    spamp
#counts   SARE_HEAD_HDR_CONVWLS    0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05
#max      SARE_HEAD_HDR_CONVWLS    16s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
#counts   SARE_HEAD_HDR_CONVWLS    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_CONVWLS    4s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_CONVWLS    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_CONVWLS    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_EPATH      exists:Error-path
describe  SARE_HEAD_HDR_EPATH      Message headers used which identify spam
score     SARE_HEAD_HDR_EPATH      0.555
#stype    SARE_HEAD_HDR_EPATH      spamp
#counts   SARE_HEAD_HDR_EPATH      0s/0h of 238550 corpus (112525s/126025h RM) 02/28/05
#max      SARE_HEAD_HDR_EPATH      4s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
#counts   SARE_HEAD_HDR_EPATH      0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_EPATH      0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_EPATH      0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_EPATH      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_JLH        exists:X-JLH
describe  SARE_HEAD_HDR_JLH        Message headers used which identify spam
score     SARE_HEAD_HDR_JLH        1.111
#stype    SARE_HEAD_HDR_JLH        spamp
#counts   SARE_HEAD_HDR_JLH        0s/0h of 280812 corpus (109490s/171322h RM) 05/05/05
#max      SARE_HEAD_HDR_JLH        71s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
#counts   SARE_HEAD_HDR_JLH        0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_JLH        0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_JLH        0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
#counts   SARE_HEAD_HDR_JLH        0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05

header    SARE_HEAD_HDR_REDIRTO    exists:Redirect-to
describe  SARE_HEAD_HDR_REDIRTO    Message headers used which identify spam
score     SARE_HEAD_HDR_REDIRTO    0.555
#stype    SARE_HEAD_HDR_REDIRTO    spamp
#counts   SARE_HEAD_HDR_REDIRTO    0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
#max      SARE_HEAD_HDR_REDIRTO    1s/0h of 114261 corpus (81069s/33192h RM) 01/15/05
#counts   SARE_HEAD_HDR_REDIRTO    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_REDIRTO    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_REDIRTO    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_REDIRTO    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_ROT        exists:Rot
describe  SARE_HEAD_HDR_ROT        Message headers used which identify spam
score     SARE_HEAD_HDR_ROT        0.555
#stype    SARE_HEAD_HDR_ROT        spamp
#counts   SARE_HEAD_HDR_ROT        0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
#max      SARE_HEAD_HDR_ROT        3s/0h of 114261 corpus (81069s/33192h RM) 01/15/05
#counts   SARE_HEAD_HDR_ROT        0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_ROT        2s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_ROT        0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_ROT        0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_RTNPATH    exists:List-Return-Path
describe  SARE_HEAD_HDR_RTNPATH    Message headers used which identify spam
score     SARE_HEAD_HDR_RTNPATH    1.111
#stype    SARE_HEAD_HDR_RTNPATH    spamp
#counts   SARE_HEAD_HDR_RTNPATH    0s/0h of 280812 corpus (109490s/171322h RM) 05/05/05
#max      SARE_HEAD_HDR_RTNPATH    32s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
#counts   SARE_HEAD_HDR_RTNPATH    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_RTNPATH    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_RTNPATH    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_RTNPATH    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_WCMSGID    exists:WcMessage-ID
describe  SARE_HEAD_HDR_WCMSGID    Message headers used which identify spam
score     SARE_HEAD_HDR_WCMSGID    0.555
#stype    SARE_HEAD_HDR_WCMSGID    spamp
#counts   SARE_HEAD_HDR_WCMSGID    0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
#max      SARE_HEAD_HDR_WCMSGID    1s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
#counts   SARE_HEAD_HDR_WCMSGID    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_WCMSGID    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_WCMSGID    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_WCMSGID    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_X400MTI    exists:X400-MTS-Identifier
describe  SARE_HEAD_HDR_X400MTI    Message headers used which identify spam
score     SARE_HEAD_HDR_X400MTI    0.555
#stype    SARE_HEAD_HDR_X400MTI    spamp
#counts   SARE_HEAD_HDR_X400MTI    0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
#max      SARE_HEAD_HDR_X400MTI    1s/0h of 114261 corpus (81069s/33192h RM) 01/15/05
#counts   SARE_HEAD_HDR_X400MTI    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_X400MTI    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_X400MTI    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_X400MTI    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XAR        exists:X-AR
describe  SARE_HEAD_HDR_XAR        Message headers used which identify spam
score     SARE_HEAD_HDR_XAR        0.555
#stype    SARE_HEAD_HDR_XAR        spamp
#counts   SARE_HEAD_HDR_XAR        0s/0h of 196688 corpus (96191s/100497h RM) 02/21/05
#max      SARE_HEAD_HDR_XAR        2s/0h of 66087 corpus (40127s/25960h RM) 09/11/04
#counts   SARE_HEAD_HDR_XAR        0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XAR        0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XAR        0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XAR        0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XAUTGEN    exists:X-Auto-Generated
describe  SARE_HEAD_HDR_XAUTGEN    Message headers used which identify spam
score     SARE_HEAD_HDR_XAUTGEN    0.555
#stype    SARE_HEAD_HDR_XAUTGEN    spamp
#counts   SARE_HEAD_HDR_XAUTGEN    0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
#max      SARE_HEAD_HDR_XAUTGEN    1s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
#counts   SARE_HEAD_HDR_XAUTGEN    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XAUTGEN    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XAUTGEN    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XAUTGEN    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XCROSS     exists:X-cross
describe  SARE_HEAD_HDR_XCROSS     Message headers used which identify spam
score     SARE_HEAD_HDR_XCROSS     0.100
#stype    SARE_HEAD_HDR_XCROSS     spamp
#counts   SARE_HEAD_HDR_XCROSS     0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
#counts   SARE_HEAD_HDR_XCROSS     0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XCROSS     0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XCROSS     0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XCROSS     0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XEMGBMS    exists:X-EMailGateBouncedMessage
describe  SARE_HEAD_HDR_XEMGBMS    Message headers used which identify spam
score     SARE_HEAD_HDR_XEMGBMS    0.555
#stype    SARE_HEAD_HDR_XEMGBMS    spamp
#counts   SARE_HEAD_HDR_XEMGBMS    0s/0h of 298277 corpus (136400s/161877h RM) 06/06/05
#max      SARE_HEAD_HDR_XEMGBMS    6s/0h of 274235 corpus (109066s/165169h RM) 05/15/05
#counts   SARE_HEAD_HDR_XEMGBMS    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XEMGBMS    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XEMGBMS    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XEMGBMS    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XLC        exists:X-L-C
describe  SARE_HEAD_HDR_XLC        Message headers used which identify spam
score     SARE_HEAD_HDR_XLC        0.100
#stype    SARE_HEAD_HDR_XLC        spamp
#counts   SARE_HEAD_HDR_XLC        0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
#counts   SARE_HEAD_HDR_XLC        0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XLC        0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XLC        0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XLC        0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XLIDCOD    exists:X-LIDCode
describe  SARE_HEAD_HDR_XLIDCOD    Message headers used which identify spam
score     SARE_HEAD_HDR_XLIDCOD    0.100
#stype    SARE_HEAD_HDR_XLIDCOD    spamp
#counts   SARE_HEAD_HDR_XLIDCOD    0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
#counts   SARE_HEAD_HDR_XLIDCOD    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XLIDCOD    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XLIDCOD    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XLIDCOD    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XMISCID    exists:X-Misc_ID
describe  SARE_HEAD_HDR_XMISCID    Message headers used which identify spam
score     SARE_HEAD_HDR_XMISCID    0.100
#stype    SARE_HEAD_HDR_XMISCID    spamp
#hist     SARE_HEAD_HDR_XMISCID    FH_XMISCID
#counts   SARE_HEAD_HDR_XMISCID    0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
#counts   SARE_HEAD_HDR_XMISCID    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XMISCID    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XMISCID    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XMISCID    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XMLCIPH    exists:X-mlcipher
describe  SARE_HEAD_HDR_XMLCIPH    Message headers used which identify spam
score     SARE_HEAD_HDR_XMLCIPH    0.100
#stype    SARE_HEAD_HDR_XMLCIPH    spamp
#counts   SARE_HEAD_HDR_XMLCIPH    0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
#counts   SARE_HEAD_HDR_XMLCIPH    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XMLCIPH    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XMLCIPH    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XMLCIPH    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XMLMSGI    exists:X-mlmsgid
describe  SARE_HEAD_HDR_XMLMSGI    Message headers used which identify spam
score     SARE_HEAD_HDR_XMLMSGI    0.100
#stype    SARE_HEAD_HDR_XMLMSGI    spamp
#counts   SARE_HEAD_HDR_XMLMSGI    0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
#counts   SARE_HEAD_HDR_XMLMSGI    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XMLMSGI    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XMLMSGI    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XMLMSGI    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XMAGDID    exists:X-magdalene-ID
describe  SARE_HEAD_HDR_XMAGDID    Message headers used which identify spam
score     SARE_HEAD_HDR_XMAGDID    0.555
#stype    SARE_HEAD_HDR_XMAGDID    spamp
#counts   SARE_HEAD_HDR_XMAGDID    0s/0h of 71334 corpus (43633s/27701h RM) 10/03/04
#max      SARE_HEAD_HDR_XMAGDID    1s/0h of 60201 corpus (35226s/24975h RM) 08/14/04
#counts   SARE_HEAD_HDR_XMAGDID    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XMAGDID    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XMAGDID    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XMAGDID    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XMPM       exists:X-mpm
describe  SARE_HEAD_HDR_XMPM       Message headers used which identify spam
score     SARE_HEAD_HDR_XMPM       0.100
#stype    SARE_HEAD_HDR_XMPM       spamp
#counts   SARE_HEAD_HDR_XMPM       0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
#counts   SARE_HEAD_HDR_XMPM       0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XMPM       0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XMPM       0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XMPM       0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XMS        exists:X-ms
describe  SARE_HEAD_HDR_XMS        Message headers used which identify spam
score     SARE_HEAD_HDR_XMS        0.100
#stype    SARE_HEAD_HDR_XMS        spamp
#counts   SARE_HEAD_HDR_XMS        0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
#counts   SARE_HEAD_HDR_XMS        0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XMS        0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XMS        0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XMS        0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XNOSPAM    exists:X-No-Spam
describe  SARE_HEAD_HDR_XNOSPAM    Message headers used which identify spam
score     SARE_HEAD_HDR_XNOSPAM    1.111
#stype    SARE_HEAD_HDR_XNOSPAM    spamp
#counts   SARE_HEAD_HDR_XNOSPAM    0s/0h of 196688 corpus (96191s/100497h RM) 02/21/05
#max      SARE_HEAD_HDR_XNOSPAM    12s/0h of 60201 corpus (35226s/24975h RM) 08/14/04
#counts   SARE_HEAD_HDR_XNOSPAM    0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#max      SARE_HEAD_HDR_XNOSPAM    4s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XNOSPAM    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XNOSPAM    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XNOSPAM    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XNTC       exists:X-ntc
describe  SARE_HEAD_HDR_XNTC       Message headers used which identify spam
score     SARE_HEAD_HDR_XNTC       0.100
#stype    SARE_HEAD_HDR_XNTC       spamp
#counts   SARE_HEAD_HDR_XNTC       0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
#counts   SARE_HEAD_HDR_XNTC       0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XNTC       0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XNTC       0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XNTC       0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XPOPB4S    exists:X-Pop-Before-SMTP-Sender
describe  SARE_HEAD_HDR_XPOPB4S    Message headers used which identify spam
score     SARE_HEAD_HDR_XPOPB4S    0.555
#stype    SARE_HEAD_HDR_XPOPB4S    spamp
#counts   SARE_HEAD_HDR_XPOPB4S    0s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
#max      SARE_HEAD_HDR_XPOPB4S    1s/0h of 60201 corpus (35226s/24975h RM) 08/14/04
#counts   SARE_HEAD_HDR_XPOPB4S    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XPOPB4S    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XPOPB4S    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XPOPB4S    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XPOPFLK    exists:X-POPFile-Link
describe  SARE_HEAD_HDR_XPOPFLK    Message headers used which identify spam
score     SARE_HEAD_HDR_XPOPFLK    0.555
#stype    SARE_HEAD_HDR_XPOPFLK    spamp
#counts   SARE_HEAD_HDR_XPOPFLK    0s/0h of 71334 corpus (43633s/27701h RM) 10/03/04
#max      SARE_HEAD_HDR_XPOPFLK    3s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
#counts   SARE_HEAD_HDR_XPOPFLK    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XPOPFLK    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XPOPFLK    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XPOPFLK    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XPRIOMS    exists:X-Prioserve-MailScanner
describe  SARE_HEAD_HDR_XPRIOMS    Message headers used which identify spam
score     SARE_HEAD_HDR_XPRIOMS    0.555
#stype    SARE_HEAD_HDR_XPRIOMS    spamp
#counts   SARE_HEAD_HDR_XPRIOMS    0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
#max      SARE_HEAD_HDR_XPRIOMS    1s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
#counts   SARE_HEAD_HDR_XPRIOMS    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XPRIOMS    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XPRIOMS    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XPRIOMS    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XPRIOMF    exists:X-Prioserve-MailScanner-From
describe  SARE_HEAD_HDR_XPRIOMF    Message headers used which identify spam
score     SARE_HEAD_HDR_XPRIOMF    0.555
#stype    SARE_HEAD_HDR_XPRIOMF    spamp
#counts   SARE_HEAD_HDR_XPRIOMF    0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
#max      SARE_HEAD_HDR_XPRIOMF    1s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
#counts   SARE_HEAD_HDR_XPRIOMF    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XPRIOMF    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XPRIOMF    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XPRIOMF    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XPRIOMI    exists:X-Prioserve-MailScanner-Information
describe  SARE_HEAD_HDR_XPRIOMI    Message headers used which identify spam
score     SARE_HEAD_HDR_XPRIOMI    0.555
#stype    SARE_HEAD_HDR_XPRIOMI    spamp
#counts   SARE_HEAD_HDR_XPRIOMI    0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
#max      SARE_HEAD_HDR_XPRIOMI    1s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
#counts   SARE_HEAD_HDR_XPRIOMI    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XPRIOMI    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XPRIOMI    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XPRIOMI    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XPIROMC    exists:X-Prioserve-MailScanner-SpamCheck
describe  SARE_HEAD_HDR_XPIROMC    Message headers used which identify spam
score     SARE_HEAD_HDR_XPIROMC    0.555
#stype    SARE_HEAD_HDR_XPIROMC    spamp
#counts   SARE_HEAD_HDR_XPIROMC    0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
#max      SARE_HEAD_HDR_XPIROMC    1s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
#counts   SARE_HEAD_HDR_XPIROMC    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XPIROMC    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XPIROMC    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XPIROMC    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XRBLTST    exists:X-RBL-TST
describe  SARE_HEAD_HDR_XRBLTST    Message headers used which identify spam
score     SARE_HEAD_HDR_XRBLTST    0.555
#stype    SARE_HEAD_HDR_XRBLTST    spamp
#counts   SARE_HEAD_HDR_XRBLTST    0s/0h of 120459 corpus (71363s/49096h RM) 02/12/05
#max      SARE_HEAD_HDR_XRBLTST    2s/0h of 114238 corpus (81067s/33171h RM) 01/15/05
#counts   SARE_HEAD_HDR_XRBLTST    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XRBLTST    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XRBLTST    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XRBLTST    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XREC       exists:X-Rec
describe  SARE_HEAD_HDR_XREC       Message headers used which identify spam
score     SARE_HEAD_HDR_XREC       2.222
#stype    SARE_HEAD_HDR_XREC       spamp
#counts   SARE_HEAD_HDR_XREC       0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
#counts   SARE_HEAD_HDR_XREC       0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XREC       0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XREC       0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XREC       0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XSPAMSC    exists:X-Spam-Score
describe  SARE_HEAD_HDR_XSPAMSC    Message headers used which identify spam
score     SARE_HEAD_HDR_XSPAMSC    0.555 
#stype    SARE_HEAD_HDR_XSPAMSC    spamp
#counts   SARE_HEAD_HDR_XSPAMSC    0s/0h of 60201 corpus (35226s/24975h RM) 08/14/04
#counts   SARE_HEAD_HDR_XSPAMSC    0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#max      SARE_HEAD_HDR_XSPAMSC    1s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XSPAMSC    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XSPAMSC    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XSPAMSC    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XSRK       exists:X-srk
describe  SARE_HEAD_HDR_XSRK       Message headers used which identify spam
score     SARE_HEAD_HDR_XSRK       0.100
#stype    SARE_HEAD_HDR_XSRK       spamp
#counts   SARE_HEAD_HDR_XSRK       0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
#counts   SARE_HEAD_HDR_XSRK       0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XSRK       0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XSRK       0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XSRK       0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XSUBID     exists:X-SubID
describe  SARE_HEAD_HDR_XSUBID     Message headers used which identify spam
score     SARE_HEAD_HDR_XSUBID     0.555
#stype    SARE_HEAD_HDR_XSUBID     spamp
#counts   SARE_HEAD_HDR_XSUBID     0s/0h of 120459 corpus (71363s/49096h RM) 02/12/05
#max      SARE_HEAD_HDR_XSUBID     3s/0h of 114238 corpus (81067s/33171h RM) 01/15/05
#counts   SARE_HEAD_HDR_XSUBID     0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XSUBID     1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XSUBID     0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XSUBID     0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XTRANS     exists:X-Trans
describe  SARE_HEAD_HDR_XTRANS     Message headers used which identify spam
score     SARE_HEAD_HDR_XTRANS     0.100
#stype    SARE_HEAD_HDR_XTRANS     spamp
#counts   SARE_HEAD_HDR_XTRANS     0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
#counts   SARE_HEAD_HDR_XTRANS     0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XTRANS     0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XTRANS     0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XTRANS     0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XTXTCLS    exists:X-Text-Classification
describe  SARE_HEAD_HDR_XTXTCLS    Message headers used which identify spam
score     SARE_HEAD_HDR_XTXTCLS    0.555
#stype    SARE_HEAD_HDR_XTXTCLS    spamp
#counts   SARE_HEAD_HDR_XTXTCLS    0s/0h of 71334 corpus (43633s/27701h RM) 10/03/04
#max      SARE_HEAD_HDR_XTXTCLS    3s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
#counts   SARE_HEAD_HDR_XTXTCLS    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XTXTCLS    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XTXTCLS    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XTXTCLS    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XVIG       exists:X-Vig
describe  SARE_HEAD_HDR_XVIG       Message headers used which identify spam
score     SARE_HEAD_HDR_XVIG       0.100
#stype    SARE_HEAD_HDR_XVIG       spamp
#counts   SARE_HEAD_HDR_XVIG       0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
#counts   SARE_HEAD_HDR_XVIG       0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XVIG       0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XVIG       0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XVIG       0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XYD        exists:X-yd
describe  SARE_HEAD_HDR_XYD        Message headers used which identify spam
score     SARE_HEAD_HDR_XYD        0.100
#stype    SARE_HEAD_HDR_XYD        spamp
#counts   SARE_HEAD_HDR_XYD        0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
#counts   SARE_HEAD_HDR_XYD        0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XYD        0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XYD        0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XYD        0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XI         exists:X-I
describe  SARE_HEAD_HDR_XI         Message headers used which identify spam
score     SARE_HEAD_HDR_XI         0.100
#stype    SARE_HEAD_HDR_XI         spamp
#counts   SARE_HEAD_HDR_XI         0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
#counts   SARE_HEAD_HDR_XI         0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XI         0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XI         0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XI         0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XIM        exists:X-IM
describe  SARE_HEAD_HDR_XIM        Message headers used which identify spam
score     SARE_HEAD_HDR_XIM        0.100
#stype    SARE_HEAD_HDR_XIM        spamp
#counts   SARE_HEAD_HDR_XIM        0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
#counts   SARE_HEAD_HDR_XIM        0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XIM        0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XIM        0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XIM        0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

#####################################################################################
#         SARE Content-Type and Boundary rules
########  ######################   ##################################################

full      SARE_CONTENT_BITBITNUM   /\nContent-Encoding: BitBitNUM\n/
describe  SARE_CONTENT_BITBITNUM   Unlikely content encoding
score     SARE_CONTENT_BITBITNUM   1.406
#hist     SARE_CONTENT_BITBITNUM   Loren Wilton, Feb 1 2005
#counts   SARE_CONTENT_BITBITNUM   0s/0h of 280812 corpus (109490s/171322h RM) 05/05/05
#max      SARE_CONTENT_BITBITNUM   153s/0h of 95210 corpus (59682s/35528h RM) 02/01/05
#counts   SARE_CONTENT_BITBITNUM   64s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
#counts   SARE_CONTENT_BITBITNUM   0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_CONTENT_BITBITNUM   0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

#####################################################################################
#         SARE From Rules 
########  ######################   ##################################################

header    SARE_FROM_AMERICA        From =~ /[^\-]\bamerica\.com\b/i
describe  SARE_FROM_AMERICA        From user address is used by spammer
score     SARE_FROM_AMERICA        1.111
#stype    SARE_FROM_AMERICA        spamp
#hist     SARE_FROM_AMERICA        Created by Bob Menschel Sep 24 2004
#counts   SARE_FROM_AMERICA        0s/0h of 268479 corpus (127479s/141000h RM) 06/17/05
#max      SARE_FROM_AMERICA        5s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
#counts   SARE_FROM_AMERICA        0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
#counts   SARE_FROM_AMERICA        0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#max      SARE_FROM_AMERICA        4s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
#counts   SARE_FROM_AMERICA        0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_FROM_AMERICA        0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_FROM_SPAM_DOMN2     From =~ /\@wses\.(?:com|org)/i
describe  SARE_FROM_SPAM_DOMN2     From address suggests this is spam
score     SARE_FROM_SPAM_DOMN2     0.100
#stype    SARE_FROM_SPAM_DOMN2     spamp
#hist     SARE_FROM_SPAM_DOMN2     RM_fa_wses
#counts   SARE_FROM_SPAM_DOMN2     0s/0h of 85084 corpus (62489s/22595h RM) 06/08/04
#counts   SARE_FROM_SPAM_DOMN2     0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
#counts   SARE_FROM_SPAM_DOMN2     0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_FROM_SPAM_DOMN2     0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_FROM_VIRUS1         ALL=~ /From:\ssupport\@microsoft.com/
describe  SARE_FROM_VIRUS1         From address suggests this is a virus
score     SARE_FROM_VIRUS1         3.333
#stype    SARE_FROM_VIRUS1         vbgg
#counts   SARE_FROM_VIRUS1         0s/0h of 280812 corpus (109490s/171322h RM) 05/05/05
#max      SARE_FROM_VIRUS1         21s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
#counts   SARE_FROM_VIRUS1         0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
#counts   SARE_FROM_VIRUS1         0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_FROM_VIRUS1         0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

#####################################################################################
#         SARE From Rules -- Emails coming from free webmail accounts
#         Since spam from these can vary depending upon country of origin, 
#         country of destination, policies, and enforcement of policies, 
#         most of these are kept as separate rules rather than combined. 
########  ######################   ##################################################

header    SARE_FREE_WEBM_Iamfi     From =~ /\biamfinallyonline\.com/i
describe  SARE_FREE_WEBM_Iamfi     Sender used free email account - may be spammer
score     SARE_FREE_WEBM_Iamfi     0.555
#stype    SARE_FREE_WEBM_Iamfi     spamp
#hist     SARE_FREE_WEBM_Iamfi     Created by Bob Menschel Apr 09 2004
#counts   SARE_FREE_WEBM_Iamfi     0s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
#max      SARE_FREE_WEBM_Iamfi     3s/0h of 60630 corpus (35509s/25121h RM) 08/11/04
#counts   SARE_FREE_WEBM_Iamfi     0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
#counts   SARE_FREE_WEBM_Iamfi     0s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#max      SARE_FREE_WEBM_Iamfi     1s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
#counts   SARE_FREE_WEBM_Iamfi     0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_FREE_WEBM_Iamfi     0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_FREE_WEBM_USACOPS   From =~ /\@usacops\.com/i
describe  SARE_FREE_WEBM_USACOPS   Maybe spammer with free email
score     SARE_FREE_WEBM_USACOPS   0.555
#stype    SARE_FREE_WEBM_USACOPS   spamp
#hist     SARE_FREE_WEBM_USACOPS   Created by Bob Menschel Feb 24 2005
#counts   SARE_FREE_WEBM_USACOPS   0s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
#max      SARE_FREE_WEBM_USACOPS   2s/0h of 238550 corpus (112525s/126025h RM) 02/28/05
#counts   SARE_FREE_WEBM_USACOPS   0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
#counts   SARE_FREE_WEBM_USACOPS   2s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_FREE_WEBM_USACOPS   0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_FREE_WEBM_USACOPS   0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

#####################################################################################
#         SARE Message-ID rules
########  ######################   ##################################################

header    SARE_MSGID_06D6          MESSAGEID =~ /<0{6}\d{6}\$\d/
describe  SARE_MSGID_06D6          Message-ID has ratware pattern (000009999$9)
score     SARE_MSGID_06D6          1.061
#counts   SARE_MSGID_06D6          0s/0h of 298277 corpus (136400s/161877h RM) 06/06/05
#max      SARE_MSGID_06D6          91s/0h of 115439 corpus (94250s/21189h RM) 04/30/04
#counts   SARE_MSGID_06D6          0s/0h of 38374 corpus (14893s/23481h JH-SA3.0rc1) 08/18/04
#counts   SARE_MSGID_06D6          0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_MSGID_06D6          0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_MSGID_06D6          0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    MSGID_SPAM_CAPS          Message-ID =~ /^\s*<?[A-Z]+\@(?!(?:mailcity|whowhere)\.com)/
#hist     MSGID_SPAM_CAPS          Distrib: SA 2.64, 3.0.0
header    __SARE_MSGID_ALL_CAPHM   MESSAGEID =~ /<[A-Z]+\@hotmail.com>/  # no /i
meta      SARE_MSGID_ALL_CAPHM     __SARE_MSGID_ALL_CAPHM && !MSGID_SPAM_CAPS
describe  SARE_MSGID_ALL_CAPHM     Ratware all-caps message-id 
score     SARE_MSGID_ALL_CAPHM     1.666
#stype    SARE_MSGID_ALL_CAPHM     spamg
#hist     SARE_MSGID_ALL_CAPHM     Created by Bob Menschel May 15 2004
#note     SARE_MSGID_ALL_CAPHM     Most emails that match __SARE_MSGID_ALL_CAPHM fall into SARE_MSGID_ALL_CAPS
#counts   SARE_MSGID_ALL_CAPHM     0s/0h of 70566 corpus (43013s/27553h RM) 10/02/04
#max      SARE_MSGID_ALL_CAPHM     1s/0h of 69619 corpus (42582s/27037h RM) 09/26/04
#counts   SARE_MSGID_ALL_CAPHM     0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#max      SARE_MSGID_ALL_CAPHM     1s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
#counts   SARE_MSGID_ALL_CAPHM     0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_MSGID_ALL_CAPHM     0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_MSGID_ALL_CAPHM     0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    MSGID_SPAM_CAPS          Message-ID =~ /^\s*<?[A-Z]+\@(?!(?:mailcity|whowhere)\.com)/
#hist     MSGID_SPAM_CAPS          Distrib: SA 2.64, 3.0.0
header    __SARE_MSGID_ALL_CAPMS   MESSAGEID =~ /<[A-Z]+\@msn.com>/  # no /i
meta      SARE_MSGID_ALL_CAPMS     __SARE_MSGID_ALL_CAPMS && !MSGID_SPAM_CAPS
describe  SARE_MSGID_ALL_CAPMS     Ratware all-caps message-id 
score     SARE_MSGID_ALL_CAPMS     1.666
#hist     SARE_MSGID_ALL_CAPMS     Created by Bob Menschel May 15 2004
#note     SARE_MSGID_ALL_CAPHM     Most emails that match __SARE_MSGID_ALL_CAPMS fall into SARE_MSGID_ALL_CAPS
#counts   SARE_MSGID_ALL_CAPMS     0s/0h of 58336 corpus (33608s/24728h RM) 08/07/04
#counts   SARE_MSGID_ALL_CAPMS     0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
#counts   SARE_MSGID_ALL_CAPMS     0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_MSGID_ALL_CAPMS     0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_MSGID_H7H4H4        MESSAGEID =~ /<[a-z0-9]{7}(\$[a-z0-9]{4}){2}\@/
describe  SARE_MSGID_H7H4H4        Message-ID has ratware pattern (7hex$4hex$4hex@)
score     SARE_MSGID_H7H4H4        0.222
#counts   SARE_MSGID_H7H4H4        0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05
#max      SARE_MSGID_H7H4H4        2s/0h of 115439 corpus (94250s/21189h) 04/30/04
#counts   SARE_MSGID_H7H4H4        0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#max      SARE_MSGID_H7H4H4        2s/0h of 38374 corpus (14893s/23481h JH-SA3.0rc1) 08/18/04
#counts   SARE_MSGID_H7H4H4        0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_MSGID_H7H4H4        0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_MSGID_H7H4H4        0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_MSGID_SPAM_DOMN0    MESSAGEID =~ /\bjeanvaljean\.com/i
describe  SARE_MSGID_SPAM_DOMN0    Message ID implies possible spammer relay
score     SARE_MSGID_SPAM_DOMN0    1.666
#stype    SARE_MSGID_SPAM_DOMN0    spamg
#hist     SARE_MSGID_SPAM_DOMN0    Created by Bob Menschel Mar 22 2004
#hist     SARE_MSGID_SPAM_DOMN0    Removed moosq.com, since now in specific.cf
#counts   SARE_MSGID_SPAM_DOMN0    0s/0h of 298277 corpus (136400s/161877h RM) 06/06/05
#max      SARE_MSGID_SPAM_DOMN0    1s/0h of 274235 corpus (109066s/165169h RM) 05/15/05
#counts   SARE_MSGID_SPAM_DOMN0    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_MSGID_SPAM_DOMN0    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_MSGID_SPAM_DOMN0    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    MSGID_SPAM_ALPHA_NUM     MESSAGEID =~ /<[A-Z]{7}-000[0-9]{10}\@[a-z]*>/
header    __SARE_RECV_LOCALHOST    Received =~ /LOCALHOST/
header    __SARE_MSGID_SUSP2       MESSAGEID =~ /\<[A-Z]{5,15}\-\d{10,25}\@[a-z]+\>/
meta      SARE_MSGID_SUSP2         __SARE_MSGID_SUSP2 && !__SARE_RECV_LOCALHOST && !MSGID_SPAM_ALPHA_NUM
describe  SARE_MSGID_SUSP2         Message-Id is <LETTERS-digits@letters>
score     SARE_MSGID_SUSP2         3.000
#hist     SARE_MSGID_SUSP2         Loren Wilton, LW_BOGUS_MSGID6
#hist     SARE_MSGID_SUSP2         Broadened Aug 2004 by Jesse Houwing, with ham-evading exclude
#V300     SARE_MSGID_SUSP2         strong overlap with MSGID_SPAM_ALPHA_NUM 
#counts   SARE_MSGID_SUSP2         0s/0h of 274235 corpus (109066s/165169h RM) 05/15/05
#alone    SARE_MSGID_SUSP2         174s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
#max      SARE_MSGID_SUSP2         9187s/0h of 115925 corpus (94616s/21309h RM) 05/01/04
#counts   SARE_MSGID_SUSP2         0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_MSGID_SUSP2         6s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_MSGID_SUSP2         0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#max      SARE_MSGID_SUSP2         187s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_MSGID_SUSP2         0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_MSGID_SUSP2         0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

#####################################################################################
#         SARE Received Header Rules
########  ######################   ##################################################

header    SARE_HELO_AOLID          Received =~ /helo=aol\.com ident=/
describe  SARE_HELO_AOLID          Spam passed through apparent spammer relay
score     SARE_HELO_AOLID          0.611
#counts   SARE_HELO_AOLID          0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05
#max      SARE_HELO_AOLID          10s/0h of 114241 corpus (81067s/33174h RM) 01/15/05
#counts   SARE_HELO_AOLID          0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
#counts   SARE_HELO_AOLID          0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_HELO_AOLID          0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HELO_AOLID          0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_ADDR2          Received =~ /^from \[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\]\n/
describe  SARE_RECV_ADDR2          Received header missing a FQDN, IP only.
score     SARE_RECV_ADDR2          0.100
#counts   SARE_RECV_ADDR2          0s/0h of 89541 corpus (67467s/22074h RM) 05/28/04
#counts   SARE_RECV_ADDR2          0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
#counts   SARE_RECV_ADDR2          0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_ADDR2          0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_ADDR3          Received =~ /^from \(.?\[.?\].?\)\b/
describe  SARE_RECV_ADDR3          Received header contains an empty Recieved IP.
score     SARE_RECV_ADDR3          0.100
#counts   SARE_RECV_ADDR3          0s/0h of 89541 corpus (67467s/22074h RM) 05/28/04
#counts   SARE_RECV_ADDR3          0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
#counts   SARE_RECV_ADDR3          0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_ADDR3          0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_ADDR4          Received =~ /^from unknown \(\w+ \w+\)\b/
describe  SARE_RECV_ADDR4          Received contains unknown FQDN with possible HELO.
score     SARE_RECV_ADDR4          0.100
#counts   SARE_RECV_ADDR4          0s/0h of 89541 corpus (67467s/22074h RM) 05/28/04
#counts   SARE_RECV_ADDR4          0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
#counts   SARE_RECV_ADDR4          0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_ADDR4          0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_ADDR5          Received =~ /^from \(HELO \w+\) \[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\] by /
describe  SARE_RECV_ADDR5          RCVD header has no FQDN and a HELO.
score     SARE_RECV_ADDR5          0.100
#counts   SARE_RECV_ADDR5          0s/0h of 89541 corpus (67467s/22074h RM) 05/28/04
#counts   SARE_RECV_ADDR5          0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
#counts   SARE_RECV_ADDR5          0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_ADDR5          0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    __SARE_RECV_CHAR_DASHS   Received =~ /---/
header    __SARE_RECV_CHAR_DOTS    Received =~ /\.\./
meta      SARE_RECV_CHAR_DSHDT     __SARE_RECV_CHAR_DASHS && __SARE_RECV_CHAR_DOTS
describe  SARE_RECV_CHAR_DSHDT     Strange dashes and dots in received line
score     SARE_RECV_CHAR_DSHDT     0.500
#counts   SARE_RECV_CHAR_DSHDT     0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05
#max      SARE_RECV_CHAR_DSHDT     7s/0h of 114241 corpus (81067s/33174h RM) 01/15/05
#counts   SARE_RECV_CHAR_DSHDT     0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#max      SARE_RECV_CHAR_DSHDT     2s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
#counts   SARE_RECV_CHAR_DSHDT     0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_RECV_CHAR_DSHDT     0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_CHAR_DSHDT     0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_ESMTP          Received =~ /^from \(?:unknown|\d+\.\d+\.\d+\.\d+\) \(\s+\) by \s+ with esmtp; /
describe  SARE_RECV_ESMTP          Received header has forged lowercase 'esmtp' relay
score     SARE_RECV_ESMTP          0.100
#counts   SARE_RECV_ESMTP          0s/0h of 89541 corpus (67467s/22074h RM) 05/28/04
#counts   SARE_RECV_ESMTP          0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
#counts   SARE_RECV_ESMTP          0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_ESMTP          0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_RANDOM         Received =~ /helo[ =].{1,30}<rnddg/i
describe  SARE_RECV_RANDOM         Spam contains random string in received header
score     SARE_RECV_RANDOM         4.000
#stype    SARE_RECV_RANDOM         spamggg
#hist     SARE_RECV_RANDOM         Created by Bob Menschel Nov 02 2004
#counts   SARE_RECV_RANDOM         0s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
#max      SARE_RECV_RANDOM         80s/0h of 196708 corpus (96197s/100511h RM) 02/21/05
#counts   SARE_RECV_RANDOM         0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_RECV_RANDOM         0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_RECV_RANDOM         0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_RANDOM         0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_RND_NUMBER     Received =~ /RND_NUMBER/i
describe  SARE_RECV_RND_NUMBER     Spam passed through iswest.net relay
score     SARE_RECV_RND_NUMBER     1.666  
#stype    SARE_RECV_RND_NUMBER     spamg
#counts   SARE_RECV_RND_NUMBER     0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05
#max      SARE_RECV_RND_NUMBER     2s/0h of 120459 corpus (71363s/49096h RM) 02/12/05
#counts   SARE_RECV_RND_NUMBER     0s/0h of 54072 corpus (16898s/37174h JH-3.01) 02/18/05
#counts   SARE_RECV_RND_NUMBER     0s/0h of 26184 corpus (22793s/3391h MY) 02/16/05
#counts   SARE_RECV_RND_NUMBER     0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_RND_NUMBER     0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_WITH_X2        Received =~ / with with /
describe  SARE_RECV_WITH_X2        Spam identified by typo in received header
score     SARE_RECV_WITH_X2        1.666
#stype    SARE_RECV_WITH_X2        spamp 
#counts   SARE_RECV_WITH_X2        0s/0h of 56796 corpus (32203s/24593h RM) 07/25/04
#max      SARE_RECV_WITH_X2        341s/0h of 100795 corpus (82099s/18696h) 02/16/04
#counts   SARE_RECV_WITH_X2        0s/1h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_RECV_WITH_X2        0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#max      SARE_RECV_WITH_X2        4s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_RECV_WITH_X2        0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_WITH_X2        0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

#####################################################################################
#         SARE Received Header IP Address Rules
########  ######################   ##################################################

header    SARE_RECV_IP_063111025   received =~ /\[63\.111\.25\.\d{1,3}\]/
describe  SARE_RECV_IP_063111025   Spam passed through possible spammer relay
score     SARE_RECV_IP_063111025   1.666
#stype    SARE_RECV_IP_063111025   spamp
#hist     SARE_RECV_IP_063111025   Created by Bob Menschel Jan 29 2005 from info supplied via Spam-L
#counts   SARE_RECV_IP_063111025   0s/0h of 280812 corpus (109490s/171322h RM) 05/05/05
#max      SARE_RECV_IP_063111025   65s/0h of 238550 corpus (112525s/126025h RM) 02/28/05
#counts   SARE_RECV_IP_063111025   0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_RECV_IP_063111025   130s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
#counts   SARE_RECV_IP_063111025   0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_063111025   0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_064095      Received =~ /\[64\.95\.199\.\d{1,3}\]/
describe  SARE_RECV_IP_064095      Spam passed through probable spammer relay 
score     SARE_RECV_IP_064095      1.666 
#stype    SARE_RECV_IP_064095      spamg
#hist     SARE_RECV_IP_064095      Created by Bob Menschel Apr 17 2004
#counts   SARE_RECV_IP_064095      0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
#max      SARE_RECV_IP_064095      3s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
#counts   SARE_RECV_IP_064095      0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#max      SARE_RECV_IP_064095      22s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
#counts   SARE_RECV_IP_064095      0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#max      SARE_RECV_IP_064095      2s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_RECV_IP_064095      0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_064095      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_064192191   Received =~ /\[64\.192\.191\.\d{1,3}\]/
describe  SARE_RECV_IP_064192191   Passed through possible spammer relay or source
score     SARE_RECV_IP_064192191   1.111 
#stype    SARE_RECV_IP_064192191   spamp
#hist     SARE_RECV_IP_064192191   Created by Bob Menschel Jan 14 2005, info thanks to Paul Howarth, Dec 14 2004
#note     SARE_RECV_IP_064192191   WCG.NET, On The Net, Inc., onthenethosting.us
#counts   SARE_RECV_IP_064192191   0s/0h of 280812 corpus (109490s/171322h RM) 05/05/05
#max      SARE_RECV_IP_064192191   31s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
#counts   SARE_RECV_IP_064192191   0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_RECV_IP_064192191   0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_RECV_IP_064192191   0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_064192191   0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_081019      Received =~ /\[81\.19\.24[0-3]\.\d{1,3}\]/
describe  SARE_RECV_IP_081019      Passed through possible spammer relay or source
score     SARE_RECV_IP_081019      0.678
#hist     SARE_RECV_IP_081019      Created by Bob Menschel Jul 27 2004
#counts   SARE_RECV_IP_081019      0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05
#max      SARE_RECV_IP_081019      15s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
#counts   SARE_RECV_IP_081019      3s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_RECV_IP_081019      0s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#max      SARE_RECV_IP_081019      4s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_RECV_IP_081019      0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_081019      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_081095      Received =~ /\[81\.95\.(?:3[2-9]|4[0-7])\.\d{1,3}\]/
describe  SARE_RECV_IP_081095      Spam passed through possible spammer relay 
score     SARE_RECV_IP_081095      0.555  
#stype    SARE_RECV_IP_081095      spamp 
#hist     SARE_RECV_IP_081095      Created by Bob Menschel June 12 2004
#counts   SARE_RECV_IP_081095      0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
#max      SARE_RECV_IP_081095      3s/0h of 66087 corpus (40127s/25960h RM) 09/11/04
#counts   SARE_RECV_IP_081095      0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#max      SARE_RECV_IP_081095      1s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_RECV_IP_081095      0s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
#counts   SARE_RECV_IP_081095      0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_081095      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_142046      Received =~ /\[142\.46\.148\.\d{1,3}\]/
describe  SARE_RECV_IP_142046      Passed through possible spammer relay or source
score     SARE_RECV_IP_142046      0.555
#stype    SARE_RECV_IP_142046      spamp
#hist     SARE_RECV_IP_142046      Created by Bob Menschel Feb 10 2005 from Spam-L info
#counts   SARE_RECV_IP_142046      0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05
#max      SARE_RECV_IP_142046      8s/0h of 238550 corpus (112525s/126025h RM) 02/28/05
#counts   SARE_RECV_IP_142046      0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
#counts   SARE_RECV_IP_142046      0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
#counts   SARE_RECV_IP_142046      0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_142046      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_200203050   Received =~ /\[200\.203\.50\.160\]/
describe  SARE_RECV_IP_200203050   Spam passed through possible spammer relay
score     SARE_RECV_IP_200203050   0.555
#stype    SARE_RECV_IP_200203050   spamp
#hist     SARE_RECV_IP_200203050   Created by Bob Menschel, Feb 19 2005, from Spam-L posting
#counts   SARE_RECV_IP_200203050   0s/0h of 174366 corpus (98964s/75402h RM) 02/18/05
#counts   SARE_RECV_IP_200203050   0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_200203050   0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_202064      Received =~ /\[202\.22\.(?:24[89]|25[01])\.\d{1,3}\]/
describe  SARE_RECV_IP_202064      Spam passed through possible spammer relay
score     SARE_RECV_IP_202064      1.111
#stype    SARE_RECV_IP_202064      spamp 
#hist     SARE_RECV_IP_202064      Created by Bob Menschel Apr 25 2004
#counts   SARE_RECV_IP_202064      0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
#max      SARE_RECV_IP_202064      12s/0h of 114241 corpus (81067s/33174h RM) 01/15/05
#counts   SARE_RECV_IP_202064      0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
#counts   SARE_RECV_IP_202064      0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#max      SARE_RECV_IP_202064      4s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_RECV_IP_202064      0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_202064      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_211049      Received =~ /\[211\.49\.185\.\d{1,3}\]/
describe  SARE_RECV_IP_211049      Spam passed through possible spammer relay
score     SARE_RECV_IP_211049      0.555
#stype    SARE_RECV_IP_211049      spamp
#counts   SARE_RECV_IP_211049      0s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
#max      SARE_RECV_IP_211049      3s/0h of 97268 corpus (79437s/17831h RM) 01/24/04
#counts   SARE_RECV_IP_211049      0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
#counts   SARE_RECV_IP_211049      0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_RECV_IP_211049      0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05

header    SARE_RECV_IP_212164      Received =~ /\[212\.164\.1(?:6[4-9]|[78]\d|9[01])\.\d{1,3}\]/
describe  SARE_RECV_IP_212164      Spam passed through possible spammer relay 
score     SARE_RECV_IP_212164      0.555
#stype    SARE_RECV_IP_212164      spamp
#hist     SARE_RECV_IP_212164      Created by Bob Menschel May 31 2004
#counts   SARE_RECV_IP_212164      0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05
#max      SARE_RECV_IP_212164      1s/0h of 238550 corpus (112525s/126025h RM) 02/28/05
#counts   SARE_RECV_IP_212164      0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
#counts   SARE_RECV_IP_212164      0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_212164      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

#####################################################################################
#         SARE User-Agent rules
########  ######################   ##################################################

#####################################################################################
#         SARE To/Cc Destination rules
########  ######################   ##################################################

header    SARE_TOCC_MAILDOMN       ToCc =~ /(?:client|recipient)\@(?:smtpdomain|maildomain)\.(?:com|net)/i
describe  SARE_TOCC_MAILDOMN       Destination identifies this as a virus bounce
score     SARE_TOCC_MAILDOMN       1.666
#stype    SARE_TOCC_MAILDOMN       vbg
#hist     SARE_TOCC_MAILDOMN       Created by Bob Menschel Mar 28 2004
#counts   SARE_TOCC_MAILDOMN       0s/0h of 238550 corpus (112525s/126025h RM) 02/28/05
#max      SARE_TOCC_MAILDOMN       5s/0h of 60630 corpus (35509s/25121h RM) 08/11/04
#counts   SARE_TOCC_MAILDOMN       1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_TOCC_MAILDOMN       0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_TOCC_MAILDOMN       0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_TOCC_MAILDOMN       0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_TOCC_SPAMWORD0      ToCc =~ /(?:alter-ego|Mailing-Boxes|ReMailer|User-info)\@/i
describe  SARE_TOCC_SPAMWORD0      Addressed to bogus email address
score     SARE_TOCC_SPAMWORD0      0.444
#hist     SARE_TOCC_SPAMWORD0      Removed Mailinglist May 14 2005
#counts   SARE_TOCC_SPAMWORD0      0s/0h of 274235 corpus (109066s/165169h RM) 05/15/05
#max      SARE_TOCC_SPAMWORD0      2s/3h of 196688 corpus (96191s/100497h RM) 02/21/05
#counts   SARE_TOCC_SPAMWORD0      0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
#counts   SARE_TOCC_SPAMWORD0      0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#max      SARE_TOCC_SPAMWORD0      1s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_TOCC_SPAMWORD0      0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_TOCC_SPAMWORD0      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

#####################################################################################
#         SARE X-Mailer Rules
########  ######################   ##################################################

header    SARE_XMAIL_BULK2         X-Mailer =~ /(?:Mail2000|Simple Mail Solutions)/i
describe  SARE_XMAIL_BULK2         Uses bulk mailer used by spammers
score     SARE_XMAIL_BULK2         0.100
#hist     SARE_XMAIL_BULK2         Bob Menschel: PSS Bulk Mailer, Calypso; removed OSM Client Feb 7 2005
#counts   SARE_XMAIL_BULK2         0s/0h of 85084 corpus (62489s/22595h RM) 06/08/04
#counts   SARE_XMAIL_BULK2         0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
#counts   SARE_XMAIL_BULK2         0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_XMAIL_BULK2         0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_XMAIL_BULK4         X-Mailer =~ /(?:Master-SMTP)/i
describe  SARE_XMAIL_BULK4         Uses bulk mailer name forged by viruses
score     SARE_XMAIL_BULK4         0.277
#stype    SARE_XMAIL_BULK4         vbp
#hist     SARE_XMAIL_BULK4         Bob Menschel: Master-SMTP
#counts   SARE_XMAIL_BULK4         0s/0h of 114241 corpus (81067s/33174h RM) 01/15/05
#max      SARE_XMAIL_BULK4         5s/0h of 56804 corpus (32211s/24593h RM) 07/25/04
#counts   SARE_XMAIL_BULK4         0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
#counts   SARE_XMAIL_BULK4         0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_XMAIL_BULK4         0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_XMAIL_BULK4         0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

#####################################################################################
#         SARE Content-Type and Boundary rules
########  ######################   ##################################################

header    SARE_BOUNDARY_01         Content-Type =~ /boundary==?\".{0,}XXXX-/
describe  SARE_BOUNDARY_01         Spam tool pattern in MIME boundary
score     SARE_BOUNDARY_01         0.100
#hist     SARE_BOUNDARY_01         L.MIME_BOUND_SIMPLE
#counts   SARE_BOUNDARY_01         0s/0h of 89541 corpus (67467s/22074h RM) 05/28/04
#counts   SARE_BOUNDARY_01         0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
#counts   SARE_BOUNDARY_01         0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_BOUNDARY_01         0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

#####################################################################################
#         SARE Rules which examine multiple header types
########  ######################   ##################################################

header    __SARE_MULT_RATW_03A     MESSAGEID =~ /^<[A-Z]{20,26}\@[\w\d\.]+>/
header    __SARE_MULT_RATW_03B     Received =~ /\bfrom \d{1,3}\.\d{1,3}\.\d{1.3}\.\d{1.3} by \d{1,3}\.\d{1,3}\.\d{1.3}\.\d{1.3};/
header    __SARE_MULT_RATW_03C     Received =~ /\bfrom \d{1,3}\.\d{1,3}\.\d{1.3}\.\d{1.3} by ;/
header    __SARE_MULT_RATW_03D     Received =~ /\bfrom \d{1,3}\.\d{1,3}\.\d{1.3}\.\d{1.3} by web\d{1,4}\.mail\.yahoo\.com;/
header    __SARE_MULT_RATW_03F     Received =~ /\bfrom ([A-Z][\w\.]+) by \1$/
header    __SARE_MULT_RATW_03G     Received =~ /\%HEAD_RND_DOM/
header    __SARE_MULT_RATW_03H     Received =~ /\(qmail 14413 invoked from network\);/
header    __SARE_MULT_RATW_03I     ALL =~ /\bX-Mailer: [a-z]+ [a-z]+\n[a-z]+\-[a-z]+: [a-z]+ [a-z]+ [a-z]+\n/s
meta      SARE_MULT_RATW_03        (__SARE_MULT_RATW_03A && (__SARE_MULT_RATW_03B || __SARE_MULT_RATW_03C || __SARE_MULT_RATW_03D || __SARE_MULT_RATW_03E || __SARE_MULT_RATW_03F || __SARE_MULT_RATW_03G || __SARE_MULT_RATW_03H || __SARE_MULT_RATW_03I))
describe  SARE_MULT_RATW_03        Spammer sign in headers
score     SARE_MULT_RATW_03        1.666
#hist     SARE_MULT_RATW_03        LW_RATWARE4
#counts   SARE_MULT_RATW_03        0s/0h of 196708 corpus (96197s/100511h RM) 02/21/05
#max      SARE_MULT_RATW_03        321s/0h of 85084 corpus (62489s/22595h RM) 06/08/04
#counts   SARE_MULT_RATW_03        57s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#max      SARE_MULT_RATW_03        172s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
#counts   SARE_MULT_RATW_03        0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#max      SARE_MULT_RATW_03        1s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_MULT_RATW_03        0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_MULT_RATW_03        0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

#####################################################################################
#         SARE Miscellaneous and X-Header header rules 
########  ######################   ##################################################

header    SARE_HEAD_CONT_RNDCONT   Content-Transfer-Encoding =~ /CONTENT_ENCODING/i
describe  SARE_HEAD_CONT_RNDCONT   Spam passed through iswest.net relay
score     SARE_HEAD_CONT_RNDCONT   1.166  
#counts   SARE_HEAD_CONT_RNDCONT   0s/0h of 95112 corpus (59679s/35433h RM) 01/31/05
#counts   SARE_HEAD_CONT_RNDCONT   0s/0h of 54072 corpus (16898s/37174h JH-3.01) 02/18/05
#counts   SARE_HEAD_CONT_RNDCONT   0s/0h of 26184 corpus (22793s/3391h MY) 02/16/05
#counts   SARE_HEAD_CONT_RNDCONT   0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_CONT_RNDCONT   0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    __SARE_HEAD_SUBJ_RAND    Subject =~ /^(?:R[Ee]: )?(?:[a-z]{2,20}[\-\.\,]?\s?){1,8}/	# no /i!
meta      SARE_HEAD_SUBJ_RAND      (__SARE_HEAD_SUBJ_RAND && (SARE_XMAIL_SUSP2 || SARE_HEAD_XAUTH_WARN || X_AUTH_WARN_FAKED))
describe  SARE_HEAD_SUBJ_RAND      Subject is possibly random words
score     SARE_HEAD_SUBJ_RAND      1.033
#hist     SARE_HEAD_SUBJ_RAND      LW_BOGUS_SUBJECT 
#hist     SARE_HEAD_SUBJ_RAND      Added option for 3.0 rule X_AUTH_WARN_FAKED
#note     SARE_HEAD_SUBJ_RAND      Stored in HEADER rule set rather than SUBJ rule set because of its meta dependencies.
#ham      SARE_HEAD_SUBJ_RAND      confirmed (1): Re: entropy depletion
#counts   SARE_HEAD_SUBJ_RAND      0s/0h of 298277 corpus (136400s/161877h RM) 06/06/05
#max      SARE_HEAD_SUBJ_RAND      343s/0h of 115925 corpus (94616s/21309h RM) 05/01/04
#counts   SARE_HEAD_SUBJ_RAND      0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_HEAD_SUBJ_RAND      82s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_SUBJ_RAND      0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_HEAD_SUBJ_RAND      0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_HEAD_SUBJ_RAND      6s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_HEAD_SUBJ_RAND      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_TOCC_DEFHNDL   All =~ /TO_CC_DEFAULT_HANDLER/i
describe  SARE_HEAD_TOCC_DEFHNDL   Spam passed through iswest.net relay
score     SARE_HEAD_TOCC_DEFHNDL   1.166  
#counts   SARE_HEAD_TOCC_DEFHNDL   0s/0h of 95112 corpus (59679s/35433h RM) 01/31/05
#counts   SARE_HEAD_TOCC_DEFHNDL   0s/0h of 54072 corpus (16898s/37174h JH-3.01) 02/18/05
#counts   SARE_HEAD_TOCC_DEFHNDL   0s/0h of 26184 corpus (22793s/3391h MY) 02/16/05
#counts   SARE_HEAD_TOCC_DEFHNDL   0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_TOCC_DEFHNDL   0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_XAUTH_WARN2    X-Authentication-Warning =~ /\b[A-Z]{2,5}[a-z]{5,7}[0-9]{2}\b/
describe  SARE_HEAD_XAUTH_WARN2    X-Authentication-Warning: Contains Spam Signature.
score     SARE_HEAD_XAUTH_WARN2    2.500
#stype    SARE_HEAD_XAUTH_WARN2    spamg
#hist     SARE_HEAD_XAUTH_WARN2    Mike Hogsett, Tuesday, May 25, 2004, CSL_X_AUTH_WARN_2
#counts   SARE_HEAD_XAUTH_WARN2    0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
#max      SARE_HEAD_XAUTH_WARN2    46s/0h of 60623 corpus (35501s/25122h RM) 08/11/04
#counts   SARE_HEAD_XAUTH_WARN2    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#max      SARE_HEAD_XAUTH_WARN2    14s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
#counts   SARE_HEAD_XAUTH_WARN2    0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#max      SARE_HEAD_XAUTH_WARN2    1s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_HEAD_XAUTH_WARN2    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_XAUTH_WARN2    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_XCANIT1        X-CanItPRO-Stream =~ /^sbw\b/
describe  SARE_HEAD_XCANIT1        Message headers used which identify spam
score     SARE_HEAD_XCANIT1        1.111
#stype    SARE_HEAD_XCANIT1        spamp
#hist     SARE_HEAD_XCANIT1        Enhanced from original SARE_HEAD_HDR_XCANITP rule with help from RoaringPenguin
#counts   SARE_HEAD_XCANIT1        0s/0h of 259338 corpus (110116s/149222h RM) 05/16/05
#max      SARE_HEAD_XCANIT1        7s/0h of 68480 corpus (41098s/27382h RM) 09/18/04
#counts   SARE_HEAD_XCANIT1        0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_XCANIT1        0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_XCANIT1        0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_XCANIT1        0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    __SARE_HEAD_XCANIT_H     exists:X-CanItPRO-Stream  
header    __SARE_HEAD_XCANIT_S     exists:X-Scanned-By
meta      SARE_HEAD_XCANIT2        __SARE_HEAD_XCANIT_H && !__SARE_HEAD_XCANIT_S
describe  SARE_HEAD_XCANIT2        Incomplete anti-spam headers signifying spam
score     SARE_HEAD_XCANIT2        0.555
#stype    SARE_HEAD_XCANIT2        spamp
#hist     SARE_HEAD_XCANIT2        Created by Bob Menschel Jan 29 2005 from information provided by RoaringPenguin
#counts   SARE_HEAD_XCANIT2        0s/0h of 196688 corpus (96191s/100497h RM) 02/21/05
#max      SARE_HEAD_XCANIT2        2s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
#counts   SARE_HEAD_XCANIT2        0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_XCANIT2        0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_HEAD_XCANIT2        0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_XCANIT2        0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_XORIP_IP       X-Originating-IP =~ /IP/i
describe  SARE_HEAD_XORIP_IP       header points to probable spammer
score     SARE_HEAD_XORIP_IP       3.333
#stype    SARE_HEAD_XORIP_IP       spamg
#counts   SARE_HEAD_XORIP_IP       0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05
#max      SARE_HEAD_XORIP_IP       4347s/0h of 97268 corpus (79437s/17831h RM) 01/24/04
#counts   SARE_HEAD_XORIP_IP       0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
#counts   SARE_HEAD_XORIP_IP       0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#max      SARE_HEAD_XORIP_IP       26s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_HEAD_XORIP_IP       0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_XORIP_IP       0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_XPRI_RNDNUM    X-Priority =~ /PRIORITY_NUMBER/i
describe  SARE_HEAD_XPRI_RNDNUM    Spam passed through iswest.net relay
score     SARE_HEAD_XPRI_RNDNUM    1.666  
#stype    SARE_HEAD_XPRI_RNDNUM    spamg
#counts   SARE_HEAD_XPRI_RNDNUM    0s/0h of 95112 corpus (59679s/35433h RM) 01/31/05
#counts   SARE_HEAD_XPRI_RNDNUM    0s/0h of 54072 corpus (16898s/37174h JH-3.01) 02/18/05
#counts   SARE_HEAD_XPRI_RNDNUM    0s/0h of 26184 corpus (22793s/3391h MY) 02/16/05
#counts   SARE_HEAD_XPRI_RNDNUM    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_XPRI_RNDNUM    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

# EOF

# SARE Header Abuse Ruleset for SpamAssassin -- file 3
# Version:  01.03.16
# Created:  2004-04-25
# Modified: 2005-10-28
# Usage instructions and documentation in 70_sare_header0.cf 

# Full Revision History / Change Log in 70_sare_header.log
#@@# 01.03.16  Oct 28 2005
#@@#           Minor score updates based on additional mass-check
#@@#           Archived from file 3:     SARE_FREE_WEBM_Excite
#@@#           Archived from file 3:     SARE_FREE_WEBM_Softhom
#@@#           Archived from file 3:     SARE_FROM_NUM_8DIG; rely on SARE_FROM_NUM_9DIG and SA distrib FROM_ENDS_IN_NUMS
#@@#           Archived from file 3:     SARE_HEAD_HDR_XT2PID
#@@#           Archived from file 3:     SARE_MSGID_ADDED
#@@#           Archived from file 3:     SARE_MSGID_LONG35
#@@#           Archived from file 3:     SARE_MULT_VIA_FWCATS
#@@#           Archived from file 3:     SARE_RECV_IP_064152200
#@@#           Archived from file 3:     SARE_RECV_ISWEST
#@@#           Archived from file 3:     SARE_RECV_MANYMX
#@@#           Archived from file 3:     SARE_TOCC_BCC_MANY
#@@#           Archived from file 3:     SARE_XMAIL_XMAIL
#@@#           Moved file 1 to file 3:   SARE_FROM_NONAME
#@@#           Moved file 1 to file 3:   SARE_FROM_SPAM_CHAR0
#@@#           Moved file 1 to file 3:   SARE_HEAD_XCOM_RFCMIN
#@@#           Moved file 1 to file 3:   SARE_RECV_IP_080178
#@@#           Moved file 1 to file 3:   SARE_XMAIL_SUSP3
#@@#           Moved file 3 to file 1:   SARE_FROM_SPAM_MONEY2
#@@#           Moved file 3 to file 2:   SARE_FREE_WEBM_Iamfi
#@@#           Moved file 3 to file 2:   SARE_MSGID_ALL_CAPHM
#@@#           Moved file 3 to file 2:   SARE_TOCC_MAILDOMN
#@@#           Moved file 3 to file 2:   SARE_XMAIL_BULK4
#@@#           Moved file 3 to file 4:   SARE_FREE_WEBM_EsYahoo
#@@#           Moved file 3 to file 4:   SARE_FREE_WEBM_FrYahoo
#@@#           Moved file 3 to file 4:   SARE_FREE_WEBM_MYWAY
#@@#           Moved file 3 to file 4:   SARE_FROM_LEAD_PREP
#@@#           Moved file 3 to file 4:   SARE_FROM_NUM_9DIG
#@@#           Moved file 3 to file 4:   SARE_MSGID_ALL_LC
#@@#           Moved file 3 to file 4:   SARE_MSGID_LONG55
#@@#           Moved file 3 to file 4:   SARE_MSGID_LONG65
#@@#           Moved file 3 to file 4:   SARE_MSGID_LONG75
#@@#           Moved file 3 to file 4:   SARE_MULT_LCASE_X2
#@@#           Moved file 3 to file 4:   SARE_RECV_SPAM_DOMN05
#@@#           Moved file 3 to file 4:   SARE_RECV_SUSP_3
#@@#           Replaced                  __SARE_HEAD_HDR_RCVD with SA 3.1.0 rule __HAS_RCVD

# License: Artistic - see http://www.rulesemporium.com/license.txt 
# Current Maintainer: Bob Menschel - RMSA@Menschel.net
# Current Home: http://www.rulesemporium.com/rules/70_sare_header3.cf 

########  ######################   ##################################################
#    Component rules used within meta rules 
########  ######################   ##################################################

header    __SARE_HEAD_8BIT_SUBJ    Subject =~ /[\x80-\xff]{3,}/

#####################################################################################
#         SARE Header-Exists rules
########  ######################   ##################################################

header    SARE_HEAD_HDR_XKRNL      exists:X-Kernel
describe  SARE_HEAD_HDR_XKRNL      fingerprint
score     SARE_HEAD_HDR_XKRNL      1.405
#hist     SARE_HEAD_HDR_XKRNL      Alex Broens, June 30, 2005
#counts   SARE_HEAD_HDR_XKRNL      63s/19h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HEAD_HDR_XKRNL      43s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
#counts   SARE_HEAD_HDR_XKRNL      200s/0h of 12846 corpus (4657s/8189h MM) 06/30/05

header    SARE_HEAD_HDR_XSEQ       exists:X-Sequence
describe  SARE_HEAD_HDR_XSEQ       Rarely abused email header 
score     SARE_HEAD_HDR_XSEQ       -0.699
#stype    SARE_HEAD_HDR_XSEQ       ham
tflags    SARE_HEAD_HDR_XSEQ       nice
#hist     SARE_HEAD_HDR_XSEQ       Loren Wilton, July 29 2005
#counts   SARE_HEAD_HDR_XSEQ       42s/1113h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HEAD_HDR_XSEQ       0s/0h of 10551 corpus (5780s/4771h CT) 07/29/05

header    SARE_HEAD_HDR_XCCDIAG    exists:X-CC-Diagnostic
describe  SARE_HEAD_HDR_XCCDIAG    Message headers used which identify spam
score     SARE_HEAD_HDR_XCCDIAG    0.100
#ham      SARE_HEAD_HDR_XCCDIAG    confirmed (1)
#counts   SARE_HEAD_HDR_XCCDIAG    1s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
#max      SARE_HEAD_HDR_XCCDIAG    4s/0h of 268479 corpus (127479s/141000h RM) 06/17/05
#counts   SARE_HEAD_HDR_XCCDIAG    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XCCDIAG    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XCCDIAG    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05

header    __SARE_HEAD_HDR_XCNTRY   exists:X-country
header    __SARE_HEAD_HDR_XLANG    exists:X-language
meta      SARE_HEAD_HDR_XCNTRY     __SARE_HEAD_HDR_XCNTRY || __SARE_HEAD_HDR_XLANG
describe  SARE_HEAD_HDR_XCNTRY     Message headers used which identify spam
score     SARE_HEAD_HDR_XCNTRY     0.250
#ham      SARE_HEAD_HDR_XCNTRY     confirmed (1, valid paypal email to user)
#counts   SARE_HEAD_HDR_XCNTRY     24s/15h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_HEAD_HDR_XCNTRY     153s/0h of 69632 corpus (42598s/27034h RM) 09/26/04
#counts   SARE_HEAD_HDR_XCNTRY     0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#max      SARE_HEAD_HDR_XCNTRY     1s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XCNTRY     53s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XCNTRY     4s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#max      SARE_HEAD_HDR_XCNTRY     12s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_HEAD_HDR_XCNTRY     0s/2h of 7500 corpus (1767s/5733h ft) 09/18/05

header    SARE_HEAD_HDR_XKASPAV    exists:X-Kaspersky-Antivirus
describe  SARE_HEAD_HDR_XKASPAV    Message headers used which identify spam
score     SARE_HEAD_HDR_XKASPAV    1.136
#ham      SARE_HEAD_HDR_XKASPAV    Can be found in ham from Europe/Asia, esp. Russia
#note     SARE_HEAD_HDR_XKASPAV    Keep in file 3 because "
#counts   SARE_HEAD_HDR_XKASPAV    200s/1h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HEAD_HDR_XKASPAV    0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#max      SARE_HEAD_HDR_XKASPAV    37s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XKASPAV    5s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XKASPAV    1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XKASPAV    3s/0h of 6924 corpus (1403s/5521h ft) 07/27/05

header    SARE_HEAD_HDR_XMAILTH    exists:X-Mailer-Thread
describe  SARE_HEAD_HDR_XMAILTH    Message headers used which identify spam
score     SARE_HEAD_HDR_XMAILTH    0.338 
#ham      SARE_HEAD_HDR_XMAILTH    verified (1), likely (7)
#counts   SARE_HEAD_HDR_XMAILTH    67s/10h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HEAD_HDR_XMAILTH    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XMAILTH    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XMAILTH    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XMAILTH    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XMSGID     exists:X-MSGID
describe  SARE_HEAD_HDR_XMSGID     Message headers used which identify spam
score     SARE_HEAD_HDR_XMSGID     0.696
#ham      SARE_HEAD_HDR_XMSGID     bankofamerica.com, also X-Mailer: Supernova
#counts   SARE_HEAD_HDR_XMSGID     126s/4h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HEAD_HDR_XMSGID     0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XMSGID     0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XMSGID     0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XMSGID     0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XRETURN    exists:X-Return
describe  SARE_HEAD_HDR_XRETURN    Message headers used which identify spam
score     SARE_HEAD_HDR_XRETURN    0.119
#ham      SARE_HEAD_HDR_XRETURN    confirmed (1), Freelance Work Exchange
#counts   SARE_HEAD_HDR_XRETURN    64s/29h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HEAD_HDR_XRETURN    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XRETURN    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XRETURN    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XRETURN    2s/0h of 6924 corpus (1403s/5521h ft) 07/27/05

header    SARE_HEAD_HDR_XSMTPSV    exists:X-SMTP-Server
describe  SARE_HEAD_HDR_XSMTPSV    Message headers used which identify spam
score     SARE_HEAD_HDR_XSMTPSV    0.338 
#ham      SARE_HEAD_HDR_XSMTPSV    verified (1) 
#counts   SARE_HEAD_HDR_XSMTPSV    67s/10h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HEAD_HDR_XSMTPSV    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XSMTPSV    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XSMTPSV    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XSMTPSV    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XSYSTEM    exists:X-System
describe  SARE_HEAD_HDR_XSYSTEM    Message headers used which identify spam
score     SARE_HEAD_HDR_XSYSTEM    0.625
#ham      SARE_HEAD_HDR_XSYSTEM    X-System: Linux hell 2.6.8 i686
#counts   SARE_HEAD_HDR_XSYSTEM    25s/1h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HEAD_HDR_XSYSTEM    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XSYSTEM    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XSYSTEM    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XSYSTEM    0s/1h of 6924 corpus (1403s/5521h ft) 07/27/05

header    SARE_HEAD_HDR_XUMAIL     exists:X-UMail
describe  SARE_HEAD_HDR_XUMAIL     Message headers used which identify spam
score     SARE_HEAD_HDR_XUMAIL     0.338
#ham      SARE_HEAD_HDR_XUMAIL     verified (1) 
#counts   SARE_HEAD_HDR_XUMAIL     67s/10h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HEAD_HDR_XUMAIL     0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XUMAIL     0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XUMAIL     0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XUMAIL     0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XUNOLOOK   exists:X-unolookiehere
describe  SARE_HEAD_HDR_XUNOLOOK   Unique X-header found in email
score     SARE_HEAD_HDR_XUNOLOOK   -1.000
#stype    SARE_HEAD_HDR_XUNOLOOK   ham 
tflags    SARE_HEAD_HDR_XUNOLOOK   nice
#counts   SARE_HEAD_HDR_XUNOLOOK   0s/267h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HEAD_HDR_XUNOLOOK   0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
#counts   SARE_HEAD_HDR_XUNOLOOK   0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_HEAD_HDR_XUNOLOOK   0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05

header    SARE_HEAD_HDR_XUNSUB     exists:X-Unsubscribe
describe  SARE_HEAD_HDR_XUNSUB     Message headers used which identify spam
score     SARE_HEAD_HDR_XUNSUB     -0.694
tflags    SARE_HEAD_HDR_XUNSUB     nice
#stype    SARE_HEAD_HDR_XUNSUB     ham
#ham      SARE_HEAD_HDR_XUNSUB     Used by valid newsletters or lists
#counts   SARE_HEAD_HDR_XUNSUB     0s/25h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_HEAD_HDR_XUNSUB     15s/94h of 238550 corpus (112525s/126025h RM) 02/28/05
#counts   SARE_HEAD_HDR_XUNSUB     0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XUNSUB     0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XUNSUB     0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XUNSUB     0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    __HAS_RCVD               exists:Received
header    __SARE_HEAD_MOZ_DRAFT    exists:X-Mozilla-Draft-Info
meta      SARE_HEAD_MOZ_DRAFT      __SARE_HEAD_MOZ_DRAFT  && __HAS_RCVD
score     SARE_HEAD_MOZ_DRAFT      0.646
#ham      SARE_HEAD_MOZ_DRAFT      ham seems to be only on mails added to corpus from "sent" folders
#ham      SARE_HEAD_MOZ_DRAFT      Seen in ham starting 4/23/05. Update to Mozilla email client? 
#counts   SARE_HEAD_MOZ_DRAFT      0s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_HEAD_MOZ_DRAFT      195s/0h of 120459 corpus (71363s/49096h RM) 02/12/05
#counts   SARE_HEAD_MOZ_DRAFT      48s/1h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_MOZ_DRAFT      0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_HEAD_MOZ_DRAFT      1s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_HEAD_MOZ_DRAFT      5s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_HEAD_MOZ_DRAFT      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

#####################################################################################
#         SARE Content-Type and Boundary rules
########  ######################   ##################################################

header    SARE_BOUNDARY_MULTB      Content-Type =~ /boundary="= Multipart Boundary /i
describe  SARE_BOUNDARY_MULTB      Content type boundary used in spam and viruses
score     SARE_BOUNDARY_MULTB      0.229
#ham      SARE_BOUNDARY_MULTB      confirmed(2), moveon.org, bordc.org
#hist     SARE_BOUNDARY_MULTB      Created by Bob Menschel Aug 24 2004
#counts   SARE_BOUNDARY_MULTB      216s/53h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_BOUNDARY_MULTB      0s/0h of 18651 corpus (16120s/2531h MY) 08/29/04
#counts   SARE_BOUNDARY_MULTB      5s/1h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_BOUNDARY_MULTB      6s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#counts   SARE_BOUNDARY_MULTB      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

#####################################################################################
#         SARE From Rules 
########  ######################   ##################################################

header    SARE_FROM_DEBT           From =~ m'debt'i
describe  SARE_FROM_DEBT           From debt spammer
score     SARE_FROM_DEBT           0.736
#ham      SARE_FROM_DEBT           ffcdebthelp.com
#hist     SARE_FROM_DEBT           Created by Fred Tarasevicius Sep 14 2004
#counts   SARE_FROM_DEBT           858s/30h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_FROM_DEBT           3s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_FROM_DEBT           84s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#max      SARE_FROM_DEBT           93s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
#counts   SARE_FROM_DEBT           24s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#counts   SARE_FROM_DEBT           37s/0h of 7500 corpus (1767s/5733h ft) 09/18/05

header    SARE_FROM_DLL            From =~ m'\b\d[a-z][a-z]\.(?:com|net|biz|info)\b'i
describe  SARE_FROM_DLL            Via a digit-letter-letter domain 
score     SARE_FROM_DLL            0.473
#ham      SARE_FROM_DLL            verified (3) 
#hist     SARE_FROM_DLL            Created by Bob Menschel Aug 23 2004
#counts   SARE_FROM_DLL            156s/22h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_FROM_DLL            4s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#max      SARE_FROM_DLL            6s/0h of 18651 corpus (16120s/2531h MY) 08/29/04
#counts   SARE_FROM_DLL            9s/2h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_FROM_DLL            3s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#counts   SARE_FROM_DLL            0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_FROM_MULTI_DASH     From =~ /\@.*--/
describe  SARE_FROM_MULTI_DASH     From domain has multiple consecutive hyphens
score     SARE_FROM_MULTI_DASH     0.934
#hist     SARE_FROM_MULTI_DASH     Tim Jackson, May 12 2005
#ham      SARE_FROM_MULTI_DASH     Valid email seen from gs at g--s dot de
#counts   SARE_FROM_MULTI_DASH     29s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_FROM_MULTI_DASH     0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_FROM_MULTI_DASH     0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
#counts   SARE_FROM_MULTI_DASH     0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05

header    SARE_FROM_NONAME         From =~ /"" </
describe  SARE_FROM_NONAME         from has no name on purpose
score     SARE_FROM_NONAME         0.648
#hist     SARE_FROM_NONAME         Originally submitted by Fred Tarasevicius
#counts   SARE_FROM_NONAME         1874s/99h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_FROM_NONAME         15s/11h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_FROM_NONAME         17s/11h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_FROM_NONAME         0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_FROM_NONAME         28s/4h of 10590 corpus (5819s/4771h CT) 07/26/05
#counts   SARE_FROM_NONAME         1s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_FROM_NUM_HOTML      From =~ /\b[a-z]+\d{6,}\@hotmail.com/i
describe  SARE_FROM_NUM_HOTML      Apparent spammer email address pattern
score     SARE_FROM_NUM_HOTML      1.156
#hist     SARE_FROM_NUM_HOTML      Created by Bob Menschel May 24 2004
#counts   SARE_FROM_NUM_HOTML      740s/6h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_FROM_NUM_HOTML      16s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#max      SARE_FROM_NUM_HOTML      19s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
#counts   SARE_FROM_NUM_HOTML      0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#max      SARE_FROM_NUM_HOTML      6s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_FROM_NUM_HOTML      0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_FROM_NUM_HOTML      0s/1h of 6924 corpus (1403s/5521h ft) 07/27/05

# being refined. low score until we get better
header    SARE_FROM_PHRASE         From =~ /(?!P?lease_Do_Not_Reply_To_This_)\b\w+_\w+_\w+_\w+_/i
describe  SARE_FROM_PHRASE         Sender name appears to be phrase rather than name
score     SARE_FROM_PHRASE         0.078
#hist     SARE_FROM_PHRASE         Originally submitted by Bob Menschel
#ham      SARE_FROM_PHRASE         The Owner Center at My GMLink <The_Owner_Center_at_My_GMLink.UM.A.5.1302@www.imail.imrsvcs.com>
#counts   SARE_FROM_PHRASE         222s/88h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_FROM_PHRASE         3s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#max      SARE_FROM_PHRASE         10s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
#counts   SARE_FROM_PHRASE         16s/6h of 47809 corpus (43224s/4585h MY) 07/27/05
#max      SARE_FROM_PHRASE         17s/5h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_FROM_PHRASE         0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_FROM_PHRASE         1s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_FROM_PHRASE         0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_FROM_PRINTER        From =~ /\bprinter\b/i
describe  SARE_FROM_PRINTER        From user address seems to contain spam topic
score     SARE_FROM_PRINTER        0.444
#counts   SARE_FROM_PRINTER        69s/8h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_FROM_PRINTER        98s/4h of 238550 corpus (112525s/126025h RM) 02/28/05
#counts   SARE_FROM_PRINTER        2s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_FROM_PRINTER        0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#max      SARE_FROM_PRINTER        1s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_FROM_PRINTER        1s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#counts   SARE_FROM_PRINTER        0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_FROM_QUOTE          From =~ /quote/i
describe  SARE_FROM_QUOTE          From name/address has "quote" as part of it
score     SARE_FROM_QUOTE          0.473
#hist     SARE_FROM_QUOTE          Fred Tarasevicius, FH_FROM_QUOTE 
#ham      SARE_FROM_QUOTE          resume from email account at intelliquote.com, hostquote@webhostdir.com
#ham      SARE_FROM_QUOTE          WisdomToday.com <xquotes@WisdomToday.com>
#counts   SARE_FROM_QUOTE          419s/83h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_FROM_QUOTE          11s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_FROM_QUOTE          282s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#counts   SARE_FROM_QUOTE          16s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#counts   SARE_FROM_QUOTE          4s/2h of 6924 corpus (1403s/5521h ft) 07/27/05

header    SARE_FROM_SPAM_CHAR0a    From =~ /^\?/i
describe  SARE_FROM_SPAM_CHAR0a    Sender name has unexpected or invalid characters
score     SARE_FROM_SPAM_CHAR0a    0.636
#counts   SARE_FROM_SPAM_CHAR0a    1408s/105h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_FROM_SPAM_CHAR0a    54s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_FROM_SPAM_CHAR0a    55s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_FROM_SPAM_CHAR0a    45s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#counts   SARE_FROM_SPAM_CHAR0a    22s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#counts   SARE_FROM_SPAM_CHAR0a    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
 
header    SARE_FROM_SPAM_CHAR0b    From =~ /^\$/i
describe  SARE_FROM_SPAM_CHAR0b    Sender name has unexpected or invalid characters
score     SARE_FROM_SPAM_CHAR0b    0.636
#counts   SARE_FROM_SPAM_CHAR0b    1408s/105h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_FROM_SPAM_CHAR0b    54s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_FROM_SPAM_CHAR0b    55s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_FROM_SPAM_CHAR0b    45s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#counts   SARE_FROM_SPAM_CHAR0b    22s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#counts   SARE_FROM_SPAM_CHAR0b    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
 
header    SARE_FROM_SPAM_CHAR5     From =~ /zzz/i
describe  SARE_FROM_SPAM_CHAR5     Sender name has unlikely character string
score     SARE_FROM_SPAM_CHAR5     0.640
#ham      SARE_FROM_SPAM_CHAR5     Postmaster <postmaster@mail.zzzip.net> (valid bounce)
#counts   SARE_FROM_SPAM_CHAR5     114s/5h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_FROM_SPAM_CHAR5     4s/1h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#max      SARE_FROM_SPAM_CHAR5     30s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
#counts   SARE_FROM_SPAM_CHAR5     3s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#max      SARE_FROM_SPAM_CHAR5     9s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_FROM_SPAM_CHAR5     1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_FROM_SPAM_CHAR5     0s/1h of 7500 corpus (1767s/5733h ft) 09/18/05

header    SARE_FROM_SUPPORT_DIG    From =~ /\bsupport\d/i
describe  SARE_FROM_SUPPORT_DIG    From user address is used by spammer
score     SARE_FROM_SUPPORT_DIG    0.135
#ham      SARE_FROM_SUPPORT_DIG    support1 @ $10domains.com
#hist     SARE_FROM_SUPPORT_DIG    Created by Bob Menschel Oct 07 2004
#counts   SARE_FROM_SUPPORT_DIG    9s/1h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_FROM_SUPPORT_DIG    25s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
#counts   SARE_FROM_SUPPORT_DIG    1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_FROM_SUPPORT_DIG    1s/4h of 47809 corpus (43224s/4585h MY) 07/27/05
#counts   SARE_FROM_SUPPORT_DIG    1s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#counts   SARE_FROM_SUPPORT_DIG    5s/1h of 6924 corpus (1403s/5521h ft) 07/27/05

#####################################################################################
#         SARE From Rules -- Emails coming from free webmail accounts
#         Since spam from these can vary depending upon country of origin, 
#         country of destination, policies, and enforcement of policies, 
#         most of these are kept as separate rules rather than combined. 
########  ######################   ##################################################

header    SARE_FREE_WEBM_123       From =~ /\b123\.com/i
describe  SARE_FREE_WEBM_123       Sender used free email account - may be spammer
score     SARE_FREE_WEBM_123       0.389
#ham      SARE_FREE_WEBM_123       confirmed: 1, anonymous response via feedback page
#counts   SARE_FREE_WEBM_123       14s/1h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_FREE_WEBM_123       62s/0h of 97268 corpus (79437s/17831h RM) 01/24/04
#counts   SARE_FREE_WEBM_123       0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
#max      SARE_FREE_WEBM_123       5s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
#counts   SARE_FREE_WEBM_123       0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
#max      SARE_FREE_WEBM_123       10s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_FREE_WEBM_123       0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_FREE_WEBM_123       0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_FREE_WEBM_CZSEZNA   From =~ /\@seznam\.cz/i
describe  SARE_FREE_WEBM_CZSEZNA   Sender used free email account - may be spammer 
score     SARE_FREE_WEBM_CZSEZNA   0.248
#hist     SARE_FREE_WEBM_CZSEZNA   Created by Bob Menschel May 31 2004
#ham      SARE_FREE_WEBM_CZSEZNA   Confirmed (2) by JH
#counts   SARE_FREE_WEBM_CZSEZNA   41s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_FREE_WEBM_CZSEZNA   2s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#max      SARE_FREE_WEBM_CZSEZNA   12s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_FREE_WEBM_CZSEZNA   91s/2h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_FREE_WEBM_CZSEZNA   186s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
#counts   SARE_FREE_WEBM_CZSEZNA   0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_FREE_WEBM_CZSEZNA   7s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_FREE_WEBM_CZSEZNA   0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_FREE_WEBM_LAPOSTE   From =~ /\@laposte\.net/i
describe  SARE_FREE_WEBM_LAPOSTE   Maybe spammer with free email
score     SARE_FREE_WEBM_LAPOSTE   0.721
#hist     SARE_FREE_WEBM_LAPOSTE   Created by Bob Menschel May 31 2004
#counts   SARE_FREE_WEBM_LAPOSTE   108s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_FREE_WEBM_LAPOSTE   1s/1h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_FREE_WEBM_LAPOSTE   9s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#counts   SARE_FREE_WEBM_LAPOSTE   1s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_FREE_WEBM_LAPOSTE   0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_FREE_WEBM_Purin     From =~ /\bpurinmail\.com/i
describe  SARE_FREE_WEBM_Purin     Sender used free email account - may be spammer
score     SARE_FREE_WEBM_Purin     0.650
#hist     SARE_FREE_WEBM_Purin     Created by Bob Menschel Mar 26 2004
#counts   SARE_FREE_WEBM_Purin     12s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_FREE_WEBM_Purin     15s/0h of 125163 corpus (104972s/20191h) 03/28/04
#counts   SARE_FREE_WEBM_Purin     1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_FREE_WEBM_Purin     0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#max      SARE_FREE_WEBM_Purin     1s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_FREE_WEBM_Purin     1s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#counts   SARE_FREE_WEBM_Purin     0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_FREE_WEBM_RuMail    From =~ /\@mail\.ru/i
describe  SARE_FREE_WEBM_RuMail    Sender used free email account - may be spammer 
score     SARE_FREE_WEBM_RuMail    0.671
#counts   SARE_FREE_WEBM_RuMail    740s/36h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_FREE_WEBM_RuMail    15s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#max      SARE_FREE_WEBM_RuMail    19s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
#counts   SARE_FREE_WEBM_RuMail    11s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#max      SARE_FREE_WEBM_RuMail    27s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_FREE_WEBM_RuMail    6s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_FREE_WEBM_RuMail    9s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_FREE_WEBM_RuMail    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_FREE_WEBM_Smapxsm   From =~ /\bsmapxsmap\.net/i
describe  SARE_FREE_WEBM_Smapxsm   Sender used free email account - may be spammer
score     SARE_FREE_WEBM_Smapxsm   0.667
#counts   SARE_FREE_WEBM_Smapxsm   12s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_FREE_WEBM_Smapxsm   7s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_FREE_WEBM_Smapxsm   1s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#max      SARE_FREE_WEBM_Smapxsm   5s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_FREE_WEBM_Smapxsm   0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_FREE_WEBM_Smapxsm   1s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_FREE_WEBM_Smapxsm   0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_FREE_WEBM_SURIML    From =~ /\bsurimail\.com/i
describe  SARE_FREE_WEBM_SURIML    Sender used free email account - may be spammer 
score     SARE_FREE_WEBM_SURIML    0.555
#hist     SARE_FREE_WEBM_SURIML    Created by Bob Menschel June 12 2004
#counts   SARE_FREE_WEBM_SURIML    2s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_FREE_WEBM_SURIML    0s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
#counts   SARE_FREE_WEBM_SURIML    7s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_FREE_WEBM_SURIML    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_FREE_WEBM_SURIML    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

#####################################################################################
#         SARE Message-ID rules
########  ######################   ##################################################

header    SARE_MSGID_LONG          MESSAGEID =~ /<.{135,}>/
describe  SARE_MSGID_LONG          Message ID is too long.
score     SARE_MSGID_LONG          0.202
#ham      SARE_MSGID_LONG          confirmed (1)
#hist     SARE_MSGID_LONG          Jesse Houwing, August 20 2004
#counts   SARE_MSGID_LONG          18s/13h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_MSGID_LONG          97s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
#counts   SARE_MSGID_LONG          29s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_MSGID_LONG          4s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#max      SARE_MSGID_LONG          7s/0h of 34763 corpus (18647s/16116h MY) 08/25/04
#counts   SARE_MSGID_LONG          0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_MSGID_LONG          8s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_MSGID_LONG          0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    __SARE_MSGID_LONG40        MESSAGEID =~ /[a-z0-9\$]{40}/
meta      SARE_MSGID_LONG40        __SARE_MSGID_LONG40 && !__SARE_MSGID_LONG45 && !__SARE_MSGID_LONG50 && !__SARE_MSGID_LONG55 && !__SARE_MSGID_LONG65 && !__SARE_MSGID_LONG75
describe  SARE_MSGID_LONG40        Message ID has suspicious length
score     SARE_MSGID_LONG40        0.637
#hist     SARE_MSGID_LONG40        Created by Frederic Tarasevicius
#counts   SARE_MSGID_LONG40        132s/12h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_MSGID_LONG40        350s/5h of 238550 corpus (112525s/126025h RM) 02/28/05
#counts   SARE_MSGID_LONG40        67s/1h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_MSGID_LONG40        10s/1h of 47809 corpus (43224s/4585h MY) 07/27/05
#max      SARE_MSGID_LONG40        45s/1h of 47283 corpus (43206s/4077h MY) 06/05/05
#counts   SARE_MSGID_LONG40        12s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_MSGID_LONG40        29s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_MSGID_LONG40        0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    __SARE_MSGID_LONG45        MESSAGEID =~ /[a-z0-9\$]{45}/
meta      SARE_MSGID_LONG45        __SARE_MSGID_LONG45 && !__SARE_MSGID_LONG50 && !__SARE_MSGID_LONG55 && !__SARE_MSGID_LONG65 && !__SARE_MSGID_LONG75
describe  SARE_MSGID_LONG45        Message ID has suspicious length
score     SARE_MSGID_LONG45        0.893
#hist     SARE_MSGID_LONG45        Created by Frederic Tarasevicius
#counts   SARE_MSGID_LONG45        450s/6h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_MSGID_LONG45        7s/1h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
#counts   SARE_MSGID_LONG45        28s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#counts   SARE_MSGID_LONG45        1s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_MSGID_LONG45        4s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_MSGID_LONG45        0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

#####################################################################################
#         SARE Received Header Rules
########  ######################   ##################################################

header    SARE_HELO_EQ_CUST        X-Spam-Relays-Untrusted =~ /helo=\S*\.customer/i
score     SARE_HELO_EQ_CUST        0.122
#ham      SARE_HELO_EQ_CUST        MyCheckFree, billpay@billpay.bankofamerica.com, 
#hist     SARE_HELO_EQ_CUST        Frederic Tarasevicius, Feb 22 2005
#counts   SARE_HELO_EQ_CUST        108s/42h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HELO_EQ_CUST        27s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
#counts   SARE_HELO_EQ_CUST        23s/6h of 47809 corpus (43224s/4585h MY) 07/27/05
#counts   SARE_HELO_EQ_CUST        12s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#counts   SARE_HELO_EQ_CUST        1s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HELO_SENDER         Received =~ /helo=sender/i
describe  SARE_HELO_SENDER         Received header has possible spamsign
score     SARE_HELO_SENDER         0.486
#hist     SARE_HELO_SENDER         Originally submitted by Bob Menschel. RM.hr_HeloSender
#ham      SARE_HELO_SENDER         American Express email to online business accepting their cards
#counts   SARE_HELO_SENDER         33s/3h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_HELO_SENDER         33s/3h of 60630 corpus (35509s/25121h RM) 08/11/04
#counts   SARE_HELO_SENDER         2s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HELO_SENDER         0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_HELO_SENDER         0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_HELO_SENDER         1s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_HELO_SENDER         0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HELO_SERVER         Received =~ /\(helo=server\)/i
describe  SARE_HELO_SERVER         Received header has possible spamsign
score     SARE_HELO_SERVER         0.722
#ham      SARE_HELO_SERVER         confirmed (4): "opt-in" messages from Canon, ASDS Computer Co. software registration confirmation
#counts   SARE_HELO_SERVER         25s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_HELO_SERVER         104s/0h of 97268 corpus (79437s/17831h RM) 01/24/04
#counts   SARE_HELO_SERVER         2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_HELO_SERVER         0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_HELO_SERVER         3s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_HELO_SERVER         8s/3h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_HELO_SERVER         0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_CHAR_CARAT     Received =~ /\^/
describe  SARE_RECV_CHAR_CARAT     Received header has apparently invalid character
score     SARE_RECV_CHAR_CARAT     0.619
#ham      SARE_RECV_CHAR_CARAT     confirmed (1) 
#hist     SARE_RECV_CHAR_CARAT     Created by Bob Menschel May 3 2004
#counts   SARE_RECV_CHAR_CARAT     23s/1h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_CHAR_CARAT     0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#max      SARE_RECV_CHAR_CARAT     2s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
#counts   SARE_RECV_CHAR_CARAT     0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_RECV_CHAR_CARAT     0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_CHAR_CARAT     0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_INFOSAT        Received =~ /\binfosat\.(?:com|net)/
describe  SARE_RECV_INFOSAT        Email passed through apparent spammer domain 
score     SARE_RECV_INFOSAT        0.618
#counts   SARE_RECV_INFOSAT        37s/5h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_RECV_INFOSAT        484s/35h of 238550 corpus (112525s/126025h RM) 02/28/05
#counts   SARE_RECV_INFOSAT        18s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_RECV_INFOSAT        17s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_RECV_INFOSAT        5s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
#counts   SARE_RECV_INFOSAT        2s/1h of 6924 corpus (1403s/5521h ft) 07/27/05

header    SARE_RECV_SPAM_DOMN03    Received =~ /\b(?:takas)\.lt/
describe  SARE_RECV_SPAM_DOMN03    Email passed through apparent spammer domain 
score     SARE_RECV_SPAM_DOMN03    0.646
#counts   SARE_RECV_SPAM_DOMN03    56s/3h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_SPAM_DOMN03    4s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#max      SARE_RECV_SPAM_DOMN03    7s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
#counts   SARE_RECV_SPAM_DOMN03    3s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
#counts   SARE_RECV_SPAM_DOMN03    0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_RECV_SPAM_DOMN03    2s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_RECV_SPAM_DOMN03    2s/0h of 6924 corpus (1403s/5521h ft) 07/27/05

header    SARE_RECV_SPAM_DOMN07    Received =~ /\bnoos\.fr/
describe  SARE_RECV_SPAM_DOMN07    Spam passed through noos.fr relay
score     SARE_RECV_SPAM_DOMN07    0.615
#counts   SARE_RECV_SPAM_DOMN07    370s/44h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_SPAM_DOMN07    40s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_RECV_SPAM_DOMN07    55s/1h of 47809 corpus (43224s/4585h MY) 07/27/05
#counts   SARE_RECV_SPAM_DOMN07    18s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#counts   SARE_RECV_SPAM_DOMN07    8s/0h of 7500 corpus (1767s/5733h ft) 09/18/05

header    SARE_RECV_SPAM_NAME1     Received =~ /\bHINET-IP/i 
describe  SARE_RECV_SPAM_NAME1     Email passed through probable spammer relay
score     SARE_RECV_SPAM_NAME1     0.614
#counts   SARE_RECV_SPAM_NAME1     349s/35h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_SPAM_NAME1     12s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_RECV_SPAM_NAME1     11s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
#max      SARE_RECV_SPAM_NAME1     15s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_RECV_SPAM_NAME1     8s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_RECV_SPAM_NAME1     8s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_RECV_SPAM_NAME1     1s/0h of 6924 corpus (1403s/5521h ft) 07/27/05

header    SARE_RECV_SPAM_NAME2     Received =~ /\bnetvigator\.com/
describe  SARE_RECV_SPAM_NAME2     Spam passed through netvigator.com system
score     SARE_RECV_SPAM_NAME2     0.393
#hist     SARE_RECV_SPAM_NAME2     Created by Bob Menschel June 9 2004
#ham      SARE_RECV_SPAM_NAME2     Appropriate (probably not spam) UCE via TradeEasy to CW.com, 3 in 2003, 1 in 2004
#counts   SARE_RECV_SPAM_NAME2     155s/24h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_SPAM_NAME2     19s/1h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_RECV_SPAM_NAME2     4s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#max      SARE_RECV_SPAM_NAME2     5s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
#counts   SARE_RECV_SPAM_NAME2     2s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_RECV_SPAM_NAME2     5s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_RECV_SPAM_NAME2     0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

#####################################################################################
#         SARE Received Header IP Address Rules
########  ######################   ##################################################

header    SARE_RECV_IP_066111      Received =~ /\[66\.111\.(?:19[2-9]|2\d\d)\.\d{1,3}\]/
describe  SARE_RECV_IP_066111      Passed through possible spammer relay or source
score     SARE_RECV_IP_066111      0.347
#ham      SARE_RECV_IP_066111      confirmed (1) 
#note     SARE_RECV_IP_066111      WebHostPlus
#hist     SARE_RECV_IP_066111      Created by Bob Menschel Nov 27 2004
#counts   SARE_RECV_IP_066111      38s/7h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_IP_066111      0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_RECV_IP_066111      12s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#max      SARE_RECV_IP_066111      90s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_RECV_IP_066111      0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_066111      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_069194      Received =~ /from \[62\.19[45]\.\d{1,3}\.\d{1,3}\]/
describe  SARE_RECV_IP_069194      Spam passed through possible spammer relay
score     SARE_RECV_IP_069194      1.666
#stype    SARE_RECV_IP_069194      spamp
#counts   SARE_RECV_IP_069194      14s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_RECV_IP_069194      213s/0h of 106584 corpus (86917s/19667h) 03/13/04
#counts   SARE_RECV_IP_069194      2s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_RECV_IP_069194      1s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#counts   SARE_RECV_IP_069194      0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_069194      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_080032      Received =~ /\[80\.32\.\d{1,3}\.\d{1,3}\]/
describe  SARE_RECV_IP_080032      Spam passed through possible spammer relay
score     SARE_RECV_IP_080032      0.615
#ham      SARE_RECV_IP_080032      confirmed (1) 
#hist     SARE_RECV_IP_080032      Created by Bob Menschel Apr 28 2004
#counts   SARE_RECV_IP_080032      30s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_IP_080032      1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#max      SARE_RECV_IP_080032      2s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
#counts   SARE_RECV_IP_080032      0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_RECV_IP_080032      0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_RECV_IP_080032      2s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_RECV_IP_080032      1s/0h of 6924 corpus (1403s/5521h ft) 07/27/05

header    SARE_RECV_IP_080040      Received =~ /\[80\.4[1-7]\.\d{1,3}\.\d{1,3}\]/
describe  SARE_RECV_IP_080040      Spam passed through possible spammer relay 
score     SARE_RECV_IP_080040      0.456
#ham      SARE_RECV_IP_080040      confirmed (6) 
#hist     SARE_RECV_IP_080040      Created by Bob Menschel June 7 2004
#counts   SARE_RECV_IP_080040      298s/21h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_IP_080040      11s/18h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_RECV_IP_080040      14s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#counts   SARE_RECV_IP_080040      3s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_RECV_IP_080040      5s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_RECV_IP_080040      2s/0h of 7500 corpus (1767s/5733h ft) 09/18/05

header    SARE_RECV_IP_080178      Received =~ /\[80\.17[89]\.\d{1,3}\.\d{1,3}\]/
describe  SARE_RECV_IP_080178      Spam passed through possible spammer relay
score     SARE_RECV_IP_080178      0.391
#ham      SARE_RECV_IP_080178      Family email from Israel
#counts   SARE_RECV_IP_080178      409s/60h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_IP_080178      11s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_RECV_IP_080178      21s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
#counts   SARE_RECV_IP_080178      11s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#max      SARE_RECV_IP_080178      11s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_RECV_IP_080178      4s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_RECV_IP_080178      1s/1h of 7500 corpus (1767s/5733h ft) 09/18/05

header    SARE_RECV_IP_222126      Received =~ /\[222\.126\.(?:\d{1,2}|1[01]\d|12[0-7])\.\d{1,3}\]/
describe  SARE_RECV_IP_222126      Passed through possible spammer relay or source
score     SARE_RECV_IP_222126      0.612
#note     SARE_RECV_IP_222126      Infocom, Makati City, PH
#hist     SARE_RECV_IP_222126      Created by Bob Menschel Dec 01 2004
#counts   SARE_RECV_IP_222126      37s/3h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_IP_222126      3s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_RECV_IP_222126      1s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#counts   SARE_RECV_IP_222126      0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_RECV_IP_222126      1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_222126      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

#####################################################################################
#         SARE Reply-To Rules 
########  ######################   ##################################################

header    SARE_REPLY_SPAMWORD2     Reply-To =~ /(?:amateur|funny|interacia)/i
describe  SARE_REPLY_SPAMWORD2     Reply-To email addr incl spam indicator word
score     SARE_REPLY_SPAMWORD2     0.486
#ham      SARE_REPLY_SPAMWORD2     confrmed (1)
#counts   SARE_REPLY_SPAMWORD2     10s/3h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_REPLY_SPAMWORD2     0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#max      SARE_REPLY_SPAMWORD2     1s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
#counts   SARE_REPLY_SPAMWORD2     25s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_REPLY_SPAMWORD2     0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_REPLY_SPAMWORD2     0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

#####################################################################################
#         SARE TO & CC Rules  
########  ######################   ##################################################

header    SARE_TOCC_SLASHES        ToCc =~ m'//'
describe  SARE_TOCC_SLASHES        Spam sign: double slashes in To/Cc headers
score     SARE_TOCC_SLASHES        0.111
#counts   SARE_TOCC_SLASHES        4s/1h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_TOCC_SLASHES        9s/0h of 85901 corpus (63701s/22200h RM) 06/05/04
#counts   SARE_TOCC_SLASHES        1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_TOCC_SLASHES        1s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_TOCC_SLASHES        0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_TOCC_SLASHES        0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

#####################################################################################
#         SARE X-Mailer Rules
########  ######################   ##################################################

header    SARE_XMAIL_BULK3a        X-Mailer =~ /Foxmail/i
describe  SARE_XMAIL_BULK3a        Uses bulk mailer used by spammers
score     SARE_XMAIL_BULK3a        0.735
#ham      SARE_XMAIL_BULK3a        ham from 2003 from China, "Foxmail 4.[12] \[cn\]", same as found in spam
#hist     SARE_XMAIL_BULK3a        Bob Menschel: PSS Bulk Mailer, Calypso
#counts   SARE_XMAIL_BULK3a        2166s/65h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_XMAIL_BULK3a        4s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#max      SARE_XMAIL_BULK3a        5s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
#counts   SARE_XMAIL_BULK3a        0s/1h of 20489 corpus (17189s/3300h MY) 01/30/05
#max      SARE_XMAIL_BULK3a        4s/1h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_XMAIL_BULK3a        0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_XMAIL_BULK3a        0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

#todo     SARE_XMAIL_BULK5         Add test for BSP-Trusted.
header    SARE_XMAIL_BULK5         X-Mailer =~ /(?:Roving Constant Contact)/i
describe  SARE_XMAIL_BULK5         Uses ham mailer, sometimes abused
score     SARE_XMAIL_BULK5         0.648
#hist     SARE_XMAIL_BULK5         Bob Menschel: Roving Constant Contact
#counts   SARE_XMAIL_BULK5         1641s/90h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_XMAIL_BULK5         1900s/67h of 327690 corpus (159737s/167953h RM) 07/27/05
#counts   SARE_XMAIL_BULK5         0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
#counts   SARE_XMAIL_BULK5         0s/3h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_XMAIL_BULK5         0s/3h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_XMAIL_BULK5         3s/3h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_XMAIL_BULK5         0s/2h of 6924 corpus (1403s/5521h ft) 07/27/05

header    SARE_XMAIL_LCDD          X-Mailer=~/^[a-z]+ \d\.\d$/
describe  SARE_XMAIL_LCDD          Ratware mailer
score     SARE_XMAIL_LCDD          0.642
#ham      SARE_XMAIL_LCDD          X-Mailer: reportbug 3.8, tlmpmail 0.9
#counts   SARE_XMAIL_LCDD          134s/8h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_XMAIL_LCDD          172s/0h of 33004 corpus (9761s/23243h RM) 05/21/04
#counts   SARE_XMAIL_LCDD          5s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#max      SARE_XMAIL_LCDD          31s/0h of 38374 corpus (14893s/23481h JH-SA3.0rc1) 08/18/04
#counts   SARE_XMAIL_LCDD          0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_XMAIL_LCDD          0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_XMAIL_LCDD          1s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    __SARE_XMAIL_SUSP3       X-Mailer=~ /^(?:[a-z\-]+\s+[a-z\-]+(?:,\s+[a-z\-]+)?|[a-z\-]+ \d\.\d)$/
meta      SARE_XMAIL_SUSP3         __SARE_XMAIL_SUSP3 && !SARE_XMAIL_LCDD
describe  SARE_XMAIL_SUSP3         Contains a suspicious X-Mailer header
score     SARE_XMAIL_SUSP3         1.208
#hist     SARE_XMAIL_SUSP3         Jesse Houwing, SARE_TM2_RW_XM
#hist     SARE_XMAIL_SUSP3         Modified to meta to avoid overlap with SARE_XMAIL_LCDD; must be in same file as LCDD
#ham      SARE_XMAIL_SUSP3         "a script" from macromedia.com
#counts   SARE_XMAIL_SUSP3         137s/1h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_XMAIL_SUSP3         505s/1h of 85084 corpus (62489s/22595h RM) 06/08/04
#counts   SARE_XMAIL_SUSP3         97s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_XMAIL_SUSP3         291s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
#counts   SARE_XMAIL_SUSP3         0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#max      SARE_XMAIL_SUSP3         49s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_XMAIL_SUSP3         1s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_XMAIL_SUSP3         10s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_XMAIL_SUSP3         0s/0h of 6924 corpus (1403s/5521h ft) 07/27/05
#max      SARE_XMAIL_SUSP3         1s/0h of 5653 corpus (1019s/4634h ft) 06/04/05

#####################################################################################
#         SARE Miscellaneous and X-Header header rules 
########  ######################   ##################################################

header    SARE_HEAD_DATE39         Date =~ /^.{39}$/
describe  SARE_HEAD_DATE39         Date header suggests this is spam
score     SARE_HEAD_DATE39         0.660
#counts   SARE_HEAD_DATE39         151s/8h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_HEAD_DATE39         264s/3h of 238550 corpus (112525s/126025h RM) 02/28/05
#counts   SARE_HEAD_DATE39         0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
#counts   SARE_HEAD_DATE39         0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
#counts   SARE_HEAD_DATE39         0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_DATE39         0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_DATE61         Date =~ /^.{57,61}$/
score     SARE_HEAD_DATE61         -1.000
tflags    SARE_HEAD_DATE61         nice
#stype    SARE_HEAD_DATE61         ham
#counts   SARE_HEAD_DATE61         0s/72h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HEAD_DATE61         0s/5h of 54072 corpus (16898s/37174h JH-3.01) 02/18/05
#counts   SARE_HEAD_DATE61         0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
#counts   SARE_HEAD_DATE61         0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_DATE61         0s/1h of 6924 corpus (1403s/5521h ft) 07/27/05

header    SARE_HEAD_DATE_ADDED     Date =~ /\(added by/
describe  SARE_HEAD_DATE_ADDED     Original email had no date - added by later system
score     SARE_HEAD_DATE_ADDED     0.139
#ham      SARE_HEAD_DATE_ADDED     technical notification email from att.com
#counts   SARE_HEAD_DATE_ADDED     3s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
#max      SARE_HEAD_DATE_ADDED     21s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
#counts   SARE_HEAD_DATE_ADDED     2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_HEAD_DATE_ADDED     0s/1h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_HEAD_DATE_ADDED     0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_DATE_ADDED     0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    __SARE_HEAD_DATE_L1a     Date =~ /.{50}/
header    __SARE_HEAD_DATE_L1b     Date =~ /added by/
meta      SARE_HEAD_DATE_LONG1     __SARE_HEAD_DATE_L1a && !__SARE_HEAD_DATE_L1b
describe  SARE_HEAD_DATE_LONG1     Date header has interesting length
score     SARE_HEAD_DATE_LONG1     -0.500
tflags    SARE_HEAD_DATE_LONG1     nice
#stype    SARE_HEAD_DATE_LONG1     ham
#hist     SARE_HEAD_DATE_LONG1     Developed by Bob Menschel from rule by Frederic Tarasevicius
#hist     SARE_HEAD_DATE_LONG1     Reduce spam hits, Oct 13 2005, Bob Menschel
#counts   SARE_HEAD_DATE_LONG1     97s/3020h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HEAD_DATE_LONG1     2s/25h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_DATE_LONG1     0s/1h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_HEAD_DATE_LONG1     0s/3h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_HEAD_DATE_LONG1     0s/28h of 6924 corpus (1403s/5521h ft) 07/27/05

header    SARE_HEAD_XCOM_RFCMIN    X-Comment =~ /Sending client does not conform to RFC822 minimum requirements/i
describe  SARE_HEAD_XCOM_RFCMIN    AT&T Maillennium does not like this email
score     SARE_HEAD_XCOM_RFCMIN    0.555
#ham      SARE_HEAD_XCOM_RFCMIN    confirmed (2) 
#hist     SARE_HEAD_XCOM_RFCMIN    Created by Bob Menschel Sep 05 2004
#counts   SARE_HEAD_XCOM_RFCMIN    3s/5h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HEAD_XCOM_RFCMIN    3s/0h of 273595 corpus (108821s/164774h RM) 05/13/05
#counts   SARE_HEAD_XCOM_RFCMIN    0s/0h of 19447 corpus (16862s/2585h MY) 09/05/04
#counts   SARE_HEAD_XCOM_RFCMIN    0s/0h of 44754 corpus (16523s/28231h JH-SA3.0rc1) 09/06/04
#counts   SARE_HEAD_XCOM_RFCMIN    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_XCOM_RFCMIN    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

#####################################################################################
#         SARE Rules which examine multiple header types
########  ######################   ##################################################

header    __SARE_HEAD_8BIT_HDRS    ALL =~ /[\x80-\xff]{3,}/
header    SUBJ_ILLEGAL_CHARS       eval:check_illegal_chars('Subject','0.00','2')
#note     SUBJ_ILLEGAL_CHARS       Standard SpamAssassin rule/test
#counts   __SARE_HEAD_8BIT_HDRS    14742s/63h of 238550 corpus (112525s/126025h RM) 02/28/05
#counts   __SARE_HEAD_8BIT_HDRS    1297s/1h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
#counts   __SARE_HEAD_8BIT_HDRS    0s/0h of 26190 corpus (22790s/3400h MY) 02/15/05
header    __SARE_HEAD_8BIT_RPLY    Reply-To =~ /[\x80-\xff]{3,}/
#counts   __SARE_HEAD_8BIT_RPLY    6259s/9h of 238550 corpus (112525s/126025h RM) 02/28/05
#counts   __SARE_HEAD_8BIT_RPLY    728s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
#counts   __SARE_HEAD_8BIT_RPLY    0s/0h of 26190 corpus (22790s/3400h MY) 02/15/05
header    __SARE_HEAD_8BIT_FROM    From =~ /[\x80-\xff]{3,}/
#counts   __SARE_HEAD_8BIT_FROM    8565s/23h of 238550 corpus (112525s/126025h RM) 02/28/05
#counts   __SARE_HEAD_8BIT_FROM    1823s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
#counts   __SARE_HEAD_8BIT_FROM    2s/0h of 26190 corpus (22790s/3400h MY) 02/15/05

meta      SARE_HEAD_8BIT_NOSPM     __SARE_HEAD_8BIT_HDRS && !__SARE_HEAD_8BIT_DATE && !__SARE_HEAD_8BIT_RECV && !__SARE_HEAD_8BIT_SUBJ
describe  SARE_HEAD_8BIT_NOSPM     Header with 8-bit char suggests spam
score     SARE_HEAD_8BIT_NOSPM     0.385
#hist     SARE_HEAD_8BIT_NOSPM     June 18 2005, Bob Menschel: Added exclusion for subject header
#counts   SARE_HEAD_8BIT_NOSPM     593s/85h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_HEAD_8BIT_NOSPM     164s/80h of 268479 corpus (127479s/141000h RM) 06/17/05
#counts   SARE_HEAD_8BIT_NOSPM     3s/0h of 10629 corpus (5847s/4782h CT) 09/18/05

meta      SARE_HEAD_8BIT_SPAM      __SARE_HEAD_8BIT_HDRS && !__SARE_HEAD_8BIT_NOSPM && !SARE_HEAD_8BIT_DATE && !SARE_HEAD_8BIT_RECV && !__SARE_HEAD_8BIT_SUBJ
describe  SARE_HEAD_8BIT_SPAM      High-ascii characters found in strange header
score     SARE_HEAD_8BIT_SPAM      1.666
#hist     SARE_HEAD_8BIT_SPAM      From Bugzilla # 2243
#hist     SARE_HEAD_8BIT_SPAM      June 18 2005, Bob Menschel: Added exclusion for subject header
#todo%%%  SARE_HEAD_8BIT_SPAM      Analysis on avoiding the ham 

meta      SARE_HEAD_8BIT_SPAM      __SARE_HEAD_8BIT_SUBJ && !SUBJ_ILLEGAL_CHARS
describe  SARE_HEAD_8BIT_SPAM      High-ascii characters found in subject header
score     SARE_HEAD_8BIT_SPAM      0.888
#hist     SARE_HEAD_8BIT_SPAM      Bob Menschel implementation, June 17 2005
#counts   SARE_HEAD_8BIT_SPAM      7948s/130h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HEAD_8BIT_SPAM      5s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#counts   SARE_HEAD_8BIT_SPAM      1s/2h of 47809 corpus (43224s/4585h MY) 07/27/05
#counts   SARE_HEAD_8BIT_SPAM      5s/0h of 10629 corpus (5847s/4782h CT) 09/18/05

# EOF

